Users of online payment service PayPal have again been targeted by scam artists trying to steal their personal data, including name, address, home and work telephone numbers and credit card information.
Earlier last week, a reader e-mailed Computerworld saying he had received a message allegedly from "CustomerService@paypal.com" with the subject "PayPal Security Update." Last month, PayPal users were hit by a similar scam.
The Oct. 22 message, which arrived as an HTML e-mail replete with grammatical mistakes, was set up to mimic PayPal's Web site, and said: To confirm that you are an authorized PayPal member, authorization is needed. The New SSL 4.0 Secure Socket Layer has been updated to the PayPal servers. To be authorized, please visit https://www.paypalauthorization.com/. After completion, you will recieve[sic] and [sic] email confirmation within 24 hours of reciept [sic]. Thanks for using PayPal!, PayPal Security Team.
The Web site address listed in the e-mail took users to an official-looking site that asked for their personal information.
The reader said he was fooled into entering his user name and password, his address and half of his credit card number before he realized he had been scammed. He said he immediately changed his PayPal log-in password, removed his credit card and bank information from his PayPal profile, sent an e-mail to PayPal's customer service department and filed a complaint with the U.S. Federal Bureau of Investigation (FBI)'s Internet Fraud Complaint Center.
As of late Thursday Eastern time, the spoofed PayPal site was still available. It wasn't available last Friday.
PayPal spokeswoman Julie Anderson said the company was notified of the spoof site Thursday morning, immediately contacted the Web host for the site and asked that it be removed. The company also plans to file a suspicious activity report with law enforcement officials.
Previously, Anderson had said spoof sites are very common. She said the scam artists probably got hold of a database and sent messages to thousands of people, hoping to hit some PayPal account holders.
"[These scams] happen often, and they happen often to successful Web sites like eBay, PayPal and other financial services sites," Anderson said last month. "Fortunately, we know from experience that PayPal users are for the most part savvy enough not to fall for them. But in the end, if they do, they are certainly not liable for any losses."
A "whois" search on the domain name used in this week's scam showed that it was registered on Sept. 29, 2002, to a woman in Jacksonville, Fla. However when reached for comment, the woman said she was the victim of a similar scam targeting users of Dulles, Va.-based America Online Inc. (AOL).
The woman said she had only been a member of AOL for one week when she received a message allegedly from the company saying there was a problem with the credit card information she had provided and her service would be shut off immediately if she didn't provide the number of a different credit card.
She said she complied with the request and then said she was asked to resubmit the number and expiration date of the card she originally provided. Again she complied with this request.
Shortly thereafter, the issuing banks called her because they determined there had been some suspicious activity on her card. She said that's when she realized she had been victimized.
AOL couldn't be reached for comment Friday.
Russ Cooper, a security consultant at TruSecure Corp. in Herndon, Va., said that in addition to the security center PayPay has on its site -- complete with tips for users, including a warning that they never share their PayPal password with anyone -- the company could do more to protect users.
He suggested that PayPal use digital signature technology that would allow users to determine the veracity of an e-mail purporting to be from PayPal. He also said PayPal could alert users to this technology by posting information about it on a prominent place on its site.