Fake PayPal Site

CharlieG writes: "Just a friendly warning as a followup to all the PayPal talk of yesterday. It seems that there is a scam going on based out of South Ural, Romania. They have created a site that looks exactly like Paypal, but is PayPai.com." Much more harmful than all the Slashdot typo sites (those only cause me to get dozens of flames a week for framing Slashdot: this one could actually steal your credit card!)

Technical info

Before it died I got a good look at the source. I also logged in using a paypal account I made with no credit card info or cash in it or anything, so no problems there. :)

Anyway, all the login info was routed through paypai.com, then it returned the paypal.com webpage. Worked essentially like a proxy, but probably logged the passwords. But the front end of the page was copied directly from paypal.com and had the paypal references changed to go to paypai.

Interesting method of attack. I wonder if this is going to become more common. Makes you wonder how you can secure against this kind of scam from the viewpoint of the website designer. Okay, admittedly, if you can get a user to give out a password, he's boned, but still.

---

Re:PayPai?

Read the article. They sent out e-mails with the domain name containing a capital "I" (which looks a lot like a lowercase "l" in most fonts, especially the sans-serif fonts that companies like AOL use by default). Click the link, and you're presented with a PayPal look-alike. Log in, and your username (just your e-mail address) and password are forwarded to the phony site.

Slashdot Effect Saves The Day

Don't worry about it... looks like the slashdot
effect already took care of the problem.

All we have to do is keep a quick link at /.
on hand to make sure they don't get back up.
By the time our loyal crowd of slashdot readers
get tired of constantly crushing...er revisiting
the deciteful paypal site they will be out of
revenue.

Registar.Cops?

Remember the fuss a while ago about the Network Solutions' license
agreement concerning domains. (The one that says they are free to do
nearly anything, include reposses your children and pets.)

Has anyone ever tried contacting the registar of a domain and report
such fraudulent abuse of a domain name. Network Solutions is fairly quick
about protect mother corporate.

Although PayPai.com uses something named EasySpace, I am sure the power
of being a domain registar has already corrupted those in charge there
and they would be more than insanely happy to be Registar cops.

Will it soon be, Registar to the rescue? Instead of going through the
proper authorities...especially when the business in question is located
in some far off land or a floating oil rig with no internet law.

Re:A simple solution....

Is this so that Lucky Charms can have their url contain purple horseshoes, blue diamonds, green clovers, etc...

Re:/. effect

Well since:
"They have created a site that looks exactly like Paypal"

I guess you could go to paypal.com and pretend you're getting scammed. I just did, and I'm pretty pissed off and calling my credit card company right now.

Re:Here is a mirror.

I'm going for the full effect, I'm pretending I'm getting scammed, and I'm pretty pissed off. I'm going to call my credit card company right next.

Some Are Still Available!

Hey, SIashdot.org and .com are still available for any one trying to grab some slashdot passwords out there. Boy, that'd be useful.

NetworksoIutions.com [networksoiutions.com] on the other hand is taken, though not by anything useful.
-----

Could have been worse/brighter

Whoever is responsible for paypai.com didn't think things through too thoroughly, did they?

First, they used a lure that was not only false, but that could be readily verifiable by the user. Big chunk o' cash waiting? I'll go see! Hmm, not there... uh oh! Using a less-effective lure (please click here to be removed from the paypaI.com mailing list) would not have generated as many hits, but would have kept him under cover much longer.

I also think it was a bit untidy of him/her to use paypai.com as the main site. Personally, I look at the URL quite a bit. Seeing "paypai" would set me off instantly. Instead, he/she could have used something else, like "login.paypalcom.net" or even "welcome.to/paypal", and one might just assume they're expanding their service and changing server names (like Hotmail likes to do a lot).

Even better (if it's possible), after recording the login and password, it could have spat the user to a "login failed" page with a "please try again" link, or maybe "server error, please try a different server [boo.hoo], sorry for the inconvenience" page, that then redirected the user to the REAL PayPal site.

I have to admit - as illegal and unethical as this scam was, it was a fairly bright idea. Good thing for PayPal users that they didn't think it all the way through.

Abusers of Fonts

Yeah, i've been getting spammed by somebody who's got an address at hotmaiI.com and they are trying to do the same sort of thing. What they are doing is abusing the fact that a lot of GUI based users run their systems with all-but-unreadable proportional spaced slick fonts, and a capitol 'I' is often only one pixel different from a little 'l', and often their font anti-aliasing smoothes that out to a 25% tone difference on one pixel, and who'd be the wiser...
I happened to notice this because i use a high contrast decent-sized courier font on my machine, and i run PINE in an KDE terminal window, so it stuck out like a sore thumb.
As always the user is the weakest link in security...

Here is a mirror.

Here's a mirror for PayPai.com. Just go to http://www.paypal.com [paypal.com]. :)