 lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1
 ·CenturyLink
 ·Vonage
 ·T-Mobile US
 ·Dish Network
 ·Time Warner Cable
·AT&T Wireless Br..
·Verizon Wireless..
1 edit | "Update Your Browser" Not a PayPal Phishing Email I received a phishing email this morning that I confirmed with PayPal. It seems that PayPal users are getting an email addressed to their first and last name telling them that their Browser is insecure, and that they need to update their Browser. There is a link to do so.
The scary thing about this email is that all of the links have dark green "Web of Trust" circles next to them. The email is from paypal@info.paypal.com. This is a phishing attempt, so DO NOT CLICK ON ANY LINKS.
--
If you need a re-format, just ask and I'll do it. If you don't need one, just give me 5 minutes with your computer, and you will. |
|
|
|
| Re: PayPal Phishing Email....Update Your Browser Headers or it didn't happen.
/kidding 
Seriously, why don't you submit it to the Phish Tracker.
Instructions and link here: »Submitting to the Phish Tracker
-Jim |
|
lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1 | Thanks....I will. I just wanted to make sure that others saw the post in case they run across this email. |
|
 SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to lordpuffer
Again, this is a LEGITIMATE email. Assuming you asked "Sarah" and that's how you "confirmed" it was a phish?
Show the full headers from the email you received, just to be sure.
»cms.paypal.com/cgi-bin/marketing···otection |
|
lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1 Reviews:
·CenturyLink
·Vonage
·T-Mobile US
·Dish Network
·Time Warner Cable
·AT&T Wireless Br..
·Verizon Wireless..
| No, I called PayPal and VERIFIED with them that this is a Phishing Attempt. Not sure how to show Full Headers for Gmail. BTW, my Browser is the latest version of Chrome.
--
If you need a re-format, just ask and I'll do it. If you don't need one, just give me 5 minutes with your computer, and you will. |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to Sparrow
Backing up my post:
From PayPal Wed Jun 8 15:06:43 2011
X-Apparently-To: xxxxxxxxxxxxxxx via 209.191.106.90; Wed, 08 Jun 2011 08:17:59 -0700
Return-Path:
Received-SPF: pass (mta1266.mail.sk1.yahoo.com: domain of paypal@info.paypal.com designates 12.130.139.53 as permitted sender) cm9tIENFCldvcmxkCgogUXVpY2sgTGlua3M6IFJlc2V0CkNFIEFjY291bnQg Q3JlZGVudGlhbHMgfCBDRQpGb3J1bSB8IENFClZvaUNFCgpIYXZlCnlvdSBz ZWVuIG91ciByZWZyZXNoZWQgaG9tZXBhZ2U_CgpIZWxsbyBDRWFucyEKCldl IGhhdmUKcmVkZXNpZ25lZCBDcmF6eUVuZ2luZWVycwpIb21lcGFnZSB0byBm ZWF0dXJlIG5ldyBsYXlvdXQgJiBtYWtlIGl0IGxvYWQgZmFzdGVyATABAQEB
X-YMailISG: 1vtDO4UcZApLXWVsX6yDR8KajoHwYTuiCTzEKWn7wo_xUj9X 0xtcCKaP56dR4Mwf5DuH75y1DQpVR7sabgskhGb5lpRQMLOI3WxeuvXk6L_k fU0dL.YcdJH2MoUN2hngUHjysKYFwyS7itkg18.FPX8d8SvknbLy4elMjepv llMvSDt5HuA2WIiTJhcozEqshMxDVsoat6VSMlWlnKWjQpqC8kHMqVl4pB.9 tkwlhaON.GFkKIsss1v.cLkYUpZgTcZaCbuZ4XLB15Afu3JHgL55SMa62vdD BReXDsO9Z_G3GG7i1z0r.sxfaJbm2vUmEOBtolqgvnaNcPKscDhspn.7vzUF E3Ed5UegrofxaiCiu5qRQEUnICDmmWjBrPGKQXgcjxfC2II3av8tD5m4XLjJ _5_h39MryusfjPjXuzAtLaAAsBlcL.2aov4nwa1WiGdtxHBINDDdA6W69WC9 E9ENmNhQ15sVky9onOGJ0Jl78HHBftYs91eK4uQxX7SXsfAHvaNCvnw4TQAP wyCeQDvolZxPVOUAGhLRn_yIbzJZEPMhgXNMxfCvI6BPEYoD9qBvmmIENu6f OQrMuCYem2JVfG_dm6p8B6rd89YJ8qH2goQXy_BEvRsCPpHBZNNK54YcVyXM YpJaYP.n.b8IQY7Ka8dFv6enexB.TUehiYVcU6ShfKnaH2RheaqU7yalhqVK JSRnqPmRfOo4bns.vtHWZVyer9K4PoXF_zqnR6P5Fy6cNCS60rR4jWyzB0ix DqBVx4fvpViziJxdbROfUTqk.WPLtEakbErZ58McvEJqaRLw45OzQmElVVll Vp3IFfIfNqjwrLAqtpjButkxpcELF54pdcpH2gtoNieyKiolJStO22FhgGBy DOOGofyY_jWWySqd8nJ3iMmcLileXCOWgiJuWysz7oy0bYr2mv3vZtXIr_TK 51EtBhTowsF9s.SmDjhh2rrTmbPEHh6iw2_47kuXeg9LWe0VQ3jQCD7jo32G O49QyOCXqKC6wrwKBzRm0EKGJ0tyhVLy8qk1pEtysuiz7hMHPiZA2UAJl6SM BMciOqpZ1yFuZkHspjP9Fs8tIop_DcSQqd.7MhOExDJU35CTXRSiMmQOAiPG 7Cs.cFWmx7g4PNkpUJxjyJATCx7cyIlEH5JjVsjNgbnEN.org3VPBMArmHcS pICtdKhcE8S8I5sqJZj1g4L.VGFlyBHbYgknVMEdyAh406MGt5Z0J17Uiryx .DLpNH3ZxT8HMvwtMe4.U_smeY99.tmF1zofltwKCHhQaHMwtP.1F95tVmO9 LReJbXDuFiVVaQuY9ee_mg.WQEdd9P0GEZUs8wn2ymcbalVprCSDnwFODWwp Oyn3zAwoQwoJatTnHl9sPl4e2ma1l4jstLHUHhmUyWcbd5OWokQYz50AFmQ7 Cf17Ld61TcfncHEM3DLGVsxgr4q5oXquv4if5JaLQttNyrB5Ql_74GjsUBqb r5r990SavqY88V6PMGfghyoxQhhYL4p4FhRS8h1.JkLikU1VYNYDPU23taHi _XhOXRNEGFgH5XClr3wZax67nruf7Lm10LU.baD96mWPLO.2XWYirz8Shdr7 rDnWmTTbolLOChH1a1oYNh7O27UrbFp2VFU3nHWPB_0femkpM2B5uQZMVKYp .T.08xWrjUsgQ3mwI3p8Ra0eW4cVQ3lrZ7xIMRcCI.e2gWMCYDUPhJyXE7Lj A3fa0GGVQn7C5ZmpOxIVtejjTQk02AJKl.YdIXu0aW2DPUYR7gQRWi5BFwdu ttzr5iftxGokMu7hAQCJIiJdNPc2ecgcHsGOO6x4L2VLAiyECbOQBvjEE5_u bA--
X-Originating-IP: [12.130.139.53]
Authentication-Results: mta1266.mail.sk1.yahoo.com from=info.paypal.com; domainkeys=pass (ok); from=info.paypal.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO om-paypal-na.rsys4.com) (12.130.139.53) by mta1266.mail.sk1.yahoo.com with SMTP; Wed, 08 Jun 2011 08:17:59 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=responsys; d=info.paypal.com; h=MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:Reply-To:Subject:List-Unsubscribe:To:Message-ID; i=paypal@info.paypal.com; bh=Y1tXQ59NDgIuDNT8/op6bWRpxlQ=; b=agGeN+dgjqdtHTfH6hh+t1lBLmOaJiWbHr/tDlS2ImT5VhhSFSGoPyQlfK6v8YH01zqDEl7lNFSB 592JfYUoglHOny2CwupogcOkmis0Fkhi71sFX1ZPzgjeVVx33dXfq40O6CesycABK3x2N+K3YWQn SjnJ4E57AXO+UaNEIt4=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=responsys; d=info.paypal.com; b=oELmrXu6h36yKm3MlLrcmrcMCi67M5SdHKrEcP9nUs/+UDFjh7mEhqDgd4kUw0XNAFqFbPQf5bmZ Z4UsDxGbiMnN92talNmUSDu1vTo+zUGyoMxSxFPo7Z5kC8JXmcLmRCUhR9g2mMrqp87cxzqnEfiz hdl0gpIhUhmja7TzAMc=;
Received: by om-paypal-na.rsys4.com (PowerMTA(TM) v3.5r15) id htu9ae0morc6 for ; Wed, 8 Jun 2011 08:06:43 -0700 (envelope-from )
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 8 Jun 2011 08:06:43 -0700
From: This sender is DomainKeys verified "PayPal" Add sender to Contacts
Reply-To: "PayPal"
Subject: xxxxx -- Important! Please update your browser now
List-Unsubscribe: ,
X-cid: pplna.5007.2
X-sgxh1: tQIhFopthNHT
To: xxxxxxxxxxxxxx X-valueof-OFFERID: 47305
X-valueof-CAMPAIGNID: 9064
X-valueof-TREATMENTCODE: 000901739
X-valueof-EMAILCATEGORY: NON
X-valueof-HASHID: 2F982056J7461445T
Message-ID:
Content-Length: 8180 |
|
lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1 Reviews:
·CenturyLink
·Vonage
·T-Mobile US
·Dish Network
·Time Warner Cable
·AT&T Wireless Br..
·Verizon Wireless..
| All I can tell you is that when I received the email, I called PayPal. The Rep I spoke with said that this email is a known phishing attempt. Since a PayPal Rep told me this, I posted it. 
--
If you need a re-format, just ask and I'll do it. If you don't need one, just give me 5 minutes with your computer, and you will. |
|
| reply to lordpuffer
said by lordpuffer:Not sure how to show Full Headers for Gmail.
The link I posted has the gmail instructions/steps. |
|
| reply to Sparrow
said by Sparrow:Received: from 127.0.0.1 (EHLO om-paypal-na.rsys4.com) (12.130.139.53) by mta1266.mail.sk1.yahoo.com with SMTP; Wed, 08 Jun 2011 08:17:59 -0700
Received: by om-paypal-na.rsys4.com (PowerMTA(TM) v3.5r15) id htu9ae0morc6 for ; Wed, 8 Jun 2011 08:06:43 -0700 (envelope-from )
Unless I am reading this wrong.. Who is om-paypal-na.rsys4.com ? Is that verified paypal? |
|
lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1 Reviews:
·CenturyLink
·Vonage
·T-Mobile US
·Dish Network
·Time Warner Cable
·AT&T Wireless Br..
·Verizon Wireless..
| reply to JALevinworth
Same email that was just posted.
Look, since I got a suspicious email, I called PayPal. The Rep told me it was a known phishing attempt and to send the email to spoof@paypal.com. I did so, and reported it here. If the Rep was wrong, I would have no idea. However, she seemed pretty sure.
Also, I am using a secure Browser. That is what made me suspicious.
--
If you need a re-format, just ask and I'll do it. If you don't need one, just give me 5 minutes with your computer, and you will. |
|
| said by lordpuffer:Same email that was just posted.
Look, since I got a suspicious email, I called PayPal.
You absolutely did the right thing.
If I were you, I would still submit it to phish track. You cannot be sure if you got the same exact email that others did. Even if the links (by visual assessment) properly point to paypal and there is a legitimate campaign being run by paypal on their website, it doesn't mean there isn't other items contained in the email that is not legitimate. |
|
1 edit | reply to JALevinworth
said by JALevinworth :Who is om-paypal-na.rsys4.com ? Is that verified paypal? that is the same thing that i saw in the last "paypal" email that i got.. "phishtank" said it was legitimate while "spamcop" said it was a phish..
unfortunately, i got no response from "paypal" after submitting it to them..
personally, i think the emails from "om-paypal-na.rsys4.com" are legitimate..
i think it is strange that paypal is sending emails, telling people that their browsers aren't secure.. according to who?
here is the paypal webpage about "updating your browser", referenced in sparrow's email:
»cms.paypal.com/us/cgi-bin/?cmd=_···otection |
|
| said by redwolfe_98:said by JALevinworth :Who is om-paypal-na.rsys4.com ? Is that verified paypal? that is the same thing that i saw in the last "paypal" email that i got.. "phishtank" said it was legitimate while "spamcop" said it was a phish.. unfortunately, i got no response from "paypal" after submitting it to them.. personally, i think the emails from "om-paypal-na.rsys4.com" are legitimate.. i think it is strange that paypal is sending emails, telling people that their browsers aren't secure.. according to who? What I find funny, strange AND funny, ha haa... is that Paypal says that e-mails that they contracted with an ad agency to create and distribute are phishing attempts. Total communication breakdown between the different areas in the Paypal company. Laughable if it didn't cause such distress to some of their customers. Pathetic. |
|
| reply to redwolfe_98
»www.siteadvisor.com/sites/sns4.r···msgpage#
»www.mywot.com/en/scorecard/rsys4.net
Seems odd (see above) if rsys4.net to be designated to send in behalf of Paypal in some way.
Looking at the source code at that paypal browser link, that page isn't testing your browser anywhere I can find (other than to render the correct .css which I looked at too). Just in case there is a hidden attribute I am not seeing, I also opened it in the latest FF and IE and it gives the same page and source, both telling me I am out of date.
Even so, just because Paypal has that page doesn't mean some scammer cannot link to it in a bogus email.
I see what your saying though. |
|
lordpufferComfortably NumbPremium
join:2004-09-19
Rio Rancho, NM
kudos:1 Reviews:
·CenturyLink
·Vonage
·T-Mobile US
·Dish Network
·Time Warner Cable
·AT&T Wireless Br..
·Verizon Wireless..
| reply to lordpuffer
I just received an email from spoof-review@paypal.com. Despite that fact that a PayPal Rep did in fact tell me that the email in question was a phishing attempt, the email confirmed that it was a legitimate email:
"Thank you for bringing this email to our attention. We can confirm that PayPal sent this email. We apologize for any confusion this may have caused".
Sorry everyone, but I was just posting the information that I had from PayPal at the time. The Rep was obviously incorrect.
--
If you need a re-format, just ask and I'll do it. If you don't need one, just give me 5 minutes with your computer, and you will. |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| reply to lordpuffer
There was such a mail submitted to phishtracker: See »/phishtrack?pi···3&urls=1
It sure looked like a legitimate email. The links were actually to the real paypal site.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.4; firefox 4.0 |
|
 BlackbirdBuilt for SpeedPremium
join:2005-01-14
Fort Wayne, IN
kudos:2
·Frontier Communi..
| reply to lordpuffer
said by lordpuffer:I just received an email from spoof-review@paypal.com. Despite that fact that a PayPal Rep did in fact tell me that the email in question was a phishing attempt, the email confirmed that it was a legitimate email:
"Thank you for bringing this email to our attention. We can confirm that PayPal sent this email. We apologize for any confusion this may have caused".
Sorry everyone, but I was just posting the information that I had from PayPal at the time. The Rep was obviously incorrect.
Personally, I find no fault in the approach you took by cautioning folks. A long-standing and oft-repeated security admonition for guarding against phishing and other nasty things is: "don't click links in received eMails". And yet PayPal, in its own corporate wisdom (??), apparently now appears to be violating that in its authorized eMails. Worse yet, it appears that not all the personnel and tentacles of the organization have been adequately (if at all) informed about PayPal's new approach to their eMails. 'Ill-conceived' and 'chaotic' are just two adjectives that seem to barely describe their nonsense. In all seriousness, does PayPal believe its eMails are too sophisticated to be counterfeited? If not, how is a user to tell the real from the fake? And if a typical user can't tell, what on earth does PayPal think it's accomplishing placing links within its sanctioned eMails???
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775 |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
·RoadRunner Cable
·Clearwire Wireless
| said by Blackbird:Ill-conceived' and 'chaotic' are just two adjectives that seem to barely describe their nonsense. In all seriousness, does PayPal believe its eMails are too sophisticated to be counterfeited? If not, how is a user to tell the real from the fake? And if a typical user can't tell, what on earth does PayPal think it's accomplishing placing links within its sanctioned eMails???
All that plus the use of a 3rd party mailing service.
»www.responsys.com/ |
|
SparrowCrystal SkyPremium
join:2002-12-03
Sachakhand | reply to JALevinworth
said by JALevinworth :...
Looking at the source code at that paypal browser link, that page isn't testing your browser anywhere I can find (other than to render the correct .css which I looked at too). Just in case there is a hidden attribute I am not seeing, I also opened it in the latest FF and IE and it gives the same page and source, both telling me I am out of date.
Even so, just because Paypal has that page doesn't mean some scammer cannot link to it in a bogus email.
I see what your saying though. Obviously, what is occurring is that when you log into the site, browser information is recorded and to those who are not using the latest browser, are duly informed.
The link I posted previously ( »cms.paypal.com/cgi-bin/marketing···otection ) was simply an ad on PayPal's site, without logging in, where it displays the 5 website logos and suggests you update your browser.
If you look at the email screen shot, there is also a link for a "text" version. Maybe I'm just used to PayPal's emails and don't find them as alarming as others. Now, if they were addressed to a different account, other than the one linked to PayPal, THEN I would be suspicious.  |
|
| said by Sparrow:said by JALevinworth :...
Looking at the source code at that paypal browser link, that page isn't testing your browser anywhere I can find (other than to render the correct .css which I looked at too). Just in case there is a hidden attribute I am not seeing, I also opened it in the latest FF and IE and it gives the same page and source, both telling me I am out of date.
Obviously, what is occurring is that when you log into the site, browser information is recorded and to those who are not using the latest browser, are duly informed. That would make sense, but I didn't log into the site (I don't use paypal). I went to the link and everything in the code points to the page only rendering "you have an outdated browser" statically.
I also went there with the latest FF and latest IE, so it's obviously not testing for this. |
|
