[CentOS] Paypal phishing warning

Thu Jun 9 11:41:50 UTC 2011
Robert Heller <heller at deepsoft.com>

At Thu, 9 Jun 2011 11:00:27 +0200 CentOS mailing list <centos at centos.org> wrote:

> 
> On Thu, June 9, 2011 10:51, Rudi Ahlers wrote:
> > On Thu, Jun 9, 2011 at 8:39 AM, MR ZenWiz <mrzenwiz at gmail.com> wrote:
> >> Sorry for the cross-post, and off-topic at that, but:
> >>
> >> This morning I received a very authentic looking email from
> >> info.paypal.com, claiming that Paypal wanted me to update my browser.
> >> (Really.)
> >>
> >> It had my name in it and all the right graphics and colors and
> >> everything.
> >>
> >> Except that the from site was info.paypal.com (whoever they are: hint
> >> - not paypal.com) and the links all had long obfuscated links in them.
> >>
> >> I verified with paypal that it was not legitimate, so I though you
> >> might all be warned as well.
> >>
> >> You may now return to the appropriate technical discussions....
> >> _______________________________________________
> >
> >
> >
> > If the mail came from info.paypal.com then I would suspect a "rogue
> > insider job",  OR their servers could be compromised. No-one but the
> > network / domain adminstrator(s) of paypal.com can actually setup a
> > subdomain on their own server called info.paypal.com
> >
> > Even if I setup a domain called info.paypal.com on one of our servers,
> > the links won't work and the phishing attempt would be void to start
> > with.
> >
> > Are / were those links clickable? If So then I would raise it to their
> > attention again that their servers could probably have been
> > compromised
> >
> 
> I imagine he means that the mail had a "From:" or even "Reply-To:" header
> that came from info.paypal.com. Both these headers are trvially forged and
> bear no connection to the origin of the mail. The only headers you can
> trust on an email are the ones that have been inserted or changed by your
> own mail servers.

The important headers in question are the 'Received:' headers, paying
close attention to the one that identifies where the mail entered
a legitimate server -- eg one's inbound mail server.

> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
>                                                                                                                     

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments