cantoriscomputing.wordpress.com
Open in
urlscan Pro
192.0.78.12
Public Scan
URL:
https://cantoriscomputing.wordpress.com/2017/03/04/paypals-emails-encourage-dangerous-habits/comment-page-2/
Submission: On October 03 via manual from AU — Scanned from AU
Submission: On October 03 via manual from AU — Scanned from AU
Form analysis 6 forms found in the DOM
GET https://cantoriscomputing.wordpress.com//
<form method="get" action="https://cantoriscomputing.wordpress.com//">
<div>
<label for="s" class="assistive-text">Search:</label>
<input type="text" value="Search…" name="s" id="s" onfocus="this.value=''">
<input type="submit" name="search" value="Go">
</div>
</form>POST https://cantoriscomputing.wordpress.com/wp-comments-post.php
<form action="https://cantoriscomputing.wordpress.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div id="comment-form__verbum" class="transparent"></div>
<div class="verbum-form-meta"><input type="hidden" name="comment_post_ID" value="1446" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
<input type="hidden" name="highlander_comment_nonce" id="highlander_comment_nonce" value="72f6b45d26">
</div>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="33f773934c"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1696330811867">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST https://subscribe.wordpress.com
<form action="https://subscribe.wordpress.com" method="post" accept-charset="utf-8" data-blog="68786749" data-post_access_level="everybody" id="subscribe-blog">
<p>Enter your email address to follow this blog and receive notifications of new posts by email.</p>
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Email Address: </label>
<input type="email" name="email" style="width: 95%; padding: 1px 10px" placeholder="Email Address" value="" id="subscribe-field" required="">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="68786749">
<input type="hidden" name="source" value="https://cantoriscomputing.wordpress.com/2017/03/04/paypals-emails-encourage-dangerous-habits/comment-page-2/">
<input type="hidden" name="sub-type" value="widget">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="65f7f8f6fd"> <button type="submit" class="wp-block-button__link"> Follow </button>
</p>
</form>POST https://subscribe.wordpress.com
<form method="post" action="https://subscribe.wordpress.com" accept-charset="utf-8" style="display: none;">
<div>
<input type="email" name="email" placeholder="Enter your email address" class="actnbr-email-field" aria-label="Enter your email address">
</div>
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="68786749">
<input type="hidden" name="source" value="https://cantoriscomputing.wordpress.com/2017/03/04/paypals-emails-encourage-dangerous-habits/comment-page-2/">
<input type="hidden" name="sub-type" value="actionbar-follow">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="65f7f8f6fd">
<div class="actnbr-button-wrap">
<button type="submit" value="Sign me up"> Sign me up </button>
</div>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>POST
<form method="post">
<input type="submit" value="Close and accept" class="accept"> Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use. <br> To find out more, including how to control cookies, see here: <a href="https://automattic.com/cookies/" rel="nofollow">
Cookie Policy </a>
</form>Text Content
* About
* Steam Hijacking
* Upgrading to IE11 with IEAK and SCCM
* ISE Steroids
CANTORIS COMPUTING
~ RANDOM GEEKERY
Search:
PAYPAL’S EMAILS ENCOURAGE DANGEROUS HABITS
04 Saturday Mar 2017
Posted by cantoris in Uncategorized
≈ 81 Comments
Tags
PayPal, Phishing, Security
i
22 Votes
I’ve recently got fed up going round and round in circles with PayPal trying to
get them to admit that their own emails are not actually phishing scams!
Yes, you read that right. The problem is that PayPal’s own email campaigns
encourage users to click on links to domains that look to the suspicious eye
like a phishing scam. PayPal’s own spoof detection service identifies these
emails as “likely fraudulent” and if you contact PayPal directly, they’ll
repeatedly deny all knowledge of the domains in question being their own.
Let’s have a look into this sorry story…
Firstly, here’s the start of a typical example email, sent to me on March 3rd
from “PayPal@mail.paypal.co.uk”:
Unlike normal phishing emails, this email addresses me by my full name and is
literate. The problem comes if you assess the target domain of the “Log In Now”
button. Here’s the tooltip:
Destination address “epl.paypal-communication.com” looks suspiciously like a
typical phishing domain. Any security-aware user ought not to click on such a
link. I don’t particularly want to be visiting a site that for all I know might
be serving up ransomware via an exploit kit!
I had a look online and found discussion at https://www.paypal-community.com/
which included references to this target domain with users asking after it
because they were suspicious. Here’s what one user said:
And another:
And a third:
Advertisement
And the response from the PayPal moderator? (Details hidden to save the
blushes.)
I decided to dig around a bit. A WHOIS on the domain said it is registered to
PayPal (via a company called MarkMonitor who protect brands):
Then I looked at the SSL certificate of the domain:
That is an Extended Validation SSL certificate issued by DigiCert to PayPal.
At this point I was sure it had to be legitimate and so contacted PayPal support
and told them the story so far. In my message I included the following:
> On the assumption that this is indeed genuine, can I suggest that perhaps you
> ensure that all emails you send with links in, go only to paypal.com or
> paypal.co.uk?! Otherwise, you’re making it very difficult for users to tell
> what is legitimate and what is not.
For my trouble I got a standard automated reply with general educational info on
phishing emails and the comment, “If we haven’t answered your question, please
reply to this email and our team will answer you as soon as possible”.
If they’d bothered to read my email properly they’d have known I had gone beyond
that stage. This sort of automated response irrespective of what you’ve said –
especially since you have to reply to it to even get a human response – is the
ideal way to frustrate your customers!
I also forwarded the email to their spoof detection service (in my case
spoof@paypal.co.uk). Here’s the reply I got:
Unbelievable! And how indecisive is “likely fraudulent” anyway?! I tested the
actual link in the email by running Chrome inside Sandboxie for added safety.
It redirected to paypal.com which suggests all is well. Replying to the
automated support email, I gave them the newer information and the verdict of
their spoof service and asked them to look into it. I got the following
response. I’ve just shown the start as you’ll get the idea…
Feeling increasingly exasperated, I emailed back and said that either the domain
was legitimately theirs, or DigiCert had issued an EV SSL certificate in their
name to a third party, “which would be a major security issue and absolutely
catastrophic for their business too!”. I encouraged them to escalate it.
The reply asked for me to forward them the email:
I tried to cut a corner as I’d deleted the email by then:
> Please can youi simply clarify whether a link to
> https://epl.paypal-communication.com is a valid destination address to have in
> an email from PayPal. There is every sign that it is (the domain appears to
> be registered to PayPal!) …
The reponse was, shall we say, “frustrating”:
I emailed straight back:
> I have not said I received an email saying there is suspicious activity in my
> account. You too have now said that the email is not from PayPal. In that
> case, please can you explain why the link it asks me to log in to is at a
> domain formally registered to PayPal and with a PayPal SSL certificate on it?
Needless to say, every single message was from a different person – no attempt
to take ownership of a problem and run with it.
I eventually got a phonecall and was passed from person to person three times.
Everyone sounded quite interested in and intrigued by the story and the
technical details. I’m sure one of them said they were basically told to deny
any domain that did not end paypal.com or paypal.co.uk but he was clearly
struggling to deny the domain I was telling him about! I was told I would hear
back. I left the phonecall feeling happier that this would be escalated to
someone in the know. A few days later I prodded them for an update and told
them I’d had another similar email. I finally got a new reply in my PayPal
message centre. It took things to a whole new level of ridiculousness:
That last sentence shows how much I’ve been wasting my time. How can they
possibly say a subdomain of paypal.co.uk is not theirs? I first decided to
prove that that domain could receive email:
As we will see in a minute, the result was quite instructive. If you also do a
SmartWHOIS to find who is responsible for the IP block that the
epl.paypal-communication.com domain is on, you get the following:
“Epsilon Data Mangement” owns the IP block and judging by the Mail Exchanger
record name, runs the mail server and presumably is the explanation for the
“epl.” at the start of the main domain name that set this hunt all off. So, who
are Epsilon Data Management? Here’s part of what their website says they do:
This all sounds very like the sort of emails that contain these links!
I’d sent one more email to PayPal which included this rebuttal to their latest
claim:
> I’ve confirmed that there is a DNS MX Record for domain “mail.paypal.co.uk”
> which shows it is a legitimate domain that can receive email. Also, since it
> is a child domain of paypal.co.uk, it MUST by definition belong to the same
> owners as “paypal.co.uk”! So how can you say it does not belong to PayPal?
I got one more message from PayPal before I gave up in disgust:
After some more hunting around the PayPal site, I found one more thing of
interest – on PayPal’s “List of Third Parties (other than PayPal Customers) with
Whom Personal Information May be Shared” page:
Quote: “To execute outbound communciation campaigns including but not limited to
email and push notifications.”
The story doesn’t end here. I tried taking it to Twitter and sending Direct
Messages to @AskPayPal (PayPal Support). I gave a very brief version of the
case and at their request sent a screenshot of one of the emails – with the
tooltip link visible. I also sent a screenshot of the SSL certificate. I got a
much more positive response:
I provided some more info, including about Epsilon. I got another reply:
And the next reponse, which unfortuantely was from someone else?
I managed not to die of frustration when told to forward it to the spoof service
again. But then, there was final bit of acceptance:
And that’s where it ends. …
And this is a company I’m entrusting with access to my money? The left hand
doesn’t seem to know what the right hand is doing – in fact, it just denies all
knowledge of its existence despite all evidence to the contrary. That coupled
with the generally poor support experience leaves me … shall we say … “not
overly-enamoured” of PayPal now.
The Twitter chat had closed with the following.
I couldn’t bring myself to click on it…
--------------------------------------------------------------------------------
Update – June 2017
The last couple of emails I’ve received from PayPal have still contained the
same domain in the Login links but at least their Spoof service is no longer
reporting them as being likely fraudulent. Their current educational
information about spotting phishing attacks encourages you to see if they
address you by name. I’ve received plenty of phishing emails that know my full
name and one piece of spam knew my full postal address too..! Their educational
info also lists various things their emails won’t ask you to do or type in.
They do also encourage you to login directly via their site but it would be far
better if they included no login button in their mass emails at all!
Sponsored Content
Streamline Your Business Continuity Planning with Advanced Software Solutions
Noggin.io | Sponsored
[Gallery] 17 Movies That Destroyed Actors' Careers: No One Can Argue With No.1
DomesticatedCompanion | Sponsored
Tinnitus is Not From Low Vitamin B. Meet the Real Enemy of Tinnitus
healthtrend.live | Sponsored
Solar Panels Are Almost Free Thanks to New Government Funding Live Smart Save
Money | Sponsored
1 Teaspoon Before Bed Can Burn Belly Fat Like Never Before medblogeu.com |
Sponsored
Australia Dental Implants Are Expensive? Check Better Deals Here(See Prices)
Affordable Dental Implants | Search ads | Sponsored
Dwayne ‘The Rock’ Johnson Picks Up $9.5 Million Georgia Farm Mansion Global |
Sponsored
If You Are Above 61, You Have To Play This Game. No Install! Forge of Empires |
Sponsored
[Gallery] It Seems Unreal, But This Happens In Japan Every Day
DomesticatedCompanion | Sponsored
SHARE THIS:
* Twitter
* Reddit
* Facebook
* Print
*
LIKE THIS:
Like Loading...
RELATED
GET-LASTLOGONDATETIME
When a user logs onto a domain PC, the authenticating domain controller updates
a non-replicated attribute of the user account called lastLogon in its copy of
the domain partition. There is another attribute called
lastLogonTimeStamp (since Server 2003) that is replicated but it is not updated
on every single logon. To reduce…
November 29, 2016
In "PowerShell"
SETTING SCCM OSD COMPUTER OU BY DP
There is a part two to this post here. I'm currently involved with the setting
up of a new SCCM Site that spans a number of physical sites. Each site will
have at least one Distribution Point (DP). During Operating System Deployment
(OSD), we wanted to be able to put…
August 17, 2018
In "PowerShell"
RAM LEAK ON WINDOWS 10
Someone online was telling me earlier that they needed more RAM in their new
Windows 10 machine despite already having 16GB in their system. Their RAM use
in Task Manager's Performance tab was in the order of 15GB (even when idle) but
the Details tab did not show any one…
May 3, 2016
In "PowerShell"
POST NAVIGATION
← Previous post Next post →
81 THOUGHTS ON “PAYPAL’S EMAILS ENCOURAGE DANGEROUS HABITS”
COMMENT NAVIGATION
← Older Comments
1. Javvy Crypto (@javvycrypto) said:
May 17, 2019 at 05:40
Damn, man. You have the patience of a Saint! This was so worthy to take time
to comment. You really made my day seeing the Nth degree to which you went
to show Paypal’s incompetence and hubris. I even tweeted about it and linked
to it here: https://twitter.com/javvycrypto/status/1129243222570672128
Reply
* cantoris said:
May 17, 2019 at 18:04
Thanks for the tweet and comment!
Reply
* Javvy Crypto (@javvycrypto) said:
May 25, 2019 at 02:58
@cantoris Quick follow-up that we managed to get Paypal’s attention with
my 14k followers and retweets with reach to millions. Maybe your efforts
will lead to making some people’s lives better lol –
https://twitter.com/javvycrypto/status/1132092030556004352
* cantoris said:
May 25, 2019 at 09:21
Good luck!! I’ve just today recevied an email suggesting I apply for
PayPal Credit by following a link to epl.paypal-communication.com …
#FacePalm
2. PMc said:
July 3, 2019 at 01:02
Being annoyed by exactly this E-Mail Spam, I looked into it and found it
difficult to get rid of it (20 Lines of URL to be copied into the browser).
So I called PayPal and asked how to get rid of the crap (which, to my
knowledge, I hadn’t requested).
The answer was:
1, the mail does not come from PayPal, it comes from criminals.
2. PayPal has no connection whatsoever to Epsilon company (commercial Spam
distributor and owner of epsl1.com, who is the originator of the mail) and
does not know anything about that company.
3. PayPal has no connection whatsoever to PayPal Inc. San Jose, CA (NASDAQ:
2PP; who is owner of the paypal-communications.com domain), and does not
know anything about that company.
Reply
* cantoris said:
July 3, 2019 at 18:55
LOL that’s amazing
Reply
3. paleonowblog said:
September 25, 2020 at 17:15
I actually did this from one of these emails with the email address they
deny is theirs and I added £10 to my account! It worked and I got £10 off my
shopping! So it must belong to them.
Reply
4. Nah Dawg said:
October 23, 2020 at 08:45
Soooooo a friend forwarded me your post because they knew I would be
interested. I worked at Epsilon four years and very familiar with the
product you and the commenters are trying to wrap your heads around.
First, let me say that my friend found your site because they also
questioned the sketch-looking domain and wanted to see if they should click
on a link from a PayPal email as well. Alright, backstory complete.
Back to the domain stuff: so the product in question is called Harmony. It’s
a SaaS email platform like MailChimp or Amazon SES, but on steroids. Very
robust. There’s an API for devheads to kick out email campaigns or
transactional emails from the system and I’ll bet that’s what PayPal is
doing now.
But PayPal didn’t announce the change, or tell any of the other departments
about it which is why you’re butting up against a sh*t ton of confusion.
Corporate America man, what can I say?
So everything’s probably good, under control and behaving fine, but the
security team knows nothing about what the developers have been up to. The
epl.paypal-communication.com domain was set up for some reason (maybe they
wanted a new domain, maybe the old one had too many spam complaints… could
be a variety of things) but it’s really just an activity listener +
redirection system. You click, the activity is noted, then you’re bounced to
the expected spot on PayPal’s site.
That’s it, no big mystery… but good job with the research completed. Most
people don’t trace in to find the Epsilon server farm so kudos for that.
Anyhoo, I won’t be providing my name or title for professional reasons.
Cheers
Reply
* cantoris said:
October 23, 2020 at 08:57
Many thanks for taking the time to add all this information to this post!
Reply
5. Sue de Nym said:
August 22, 2022 at 18:12
Congratulations on pursuing it. I don’t have a PayPal account any more due
to my frustration with its inability to answer any questions properly and
the lack of control I seemd to have over my money.
I have managed without a PayPal account perfectly well since.
I also asked them to delete my data which they assured me they had.
Today (over a year after closing my account) I got an email from
paypal@mail.paypal.co.uk informing me of their new terms and conditions and
how it may effect my account!
Like most large corporations they’ve no real interest in customers. They
seem to have people sitting answering questions by cutting and pasting stock
answers that don’t necessarily relate to your question. These people have no
authority or understanding of any of the problems. They are just robotic I
suppose. It shows the complete the complete disregard and lack of respect
PayPal has for customers.
PayPal is trying to dominate it seems. The sooner peope realise they don’t
need PayPal if they have a normal bank account the better.
Reply
* cantoris said:
August 22, 2022 at 23:26
Thanks Sue!
I got the same email today. There was a link in it to further info that
was supposedly at http://www.paypal.com – except the actual link target
was epl.paypal-communication.com as was the “get in touch with us” link.
So many years later and they’re still encouraging users to click on links
that look like a phishing scam!
Reply
COMMENT NAVIGATION
← Older Comments
LEAVE A REPLY CANCEL REPLY
Δ
FOLLOW BLOG VIA EMAIL
Enter your email address to follow this blog and receive notifications of new
posts by email.
Email Address:
Follow
BLOG STATS
* 52,945 hits
CATEGORIES
* Malware
* PowerShell
* SCCM Deployment
* ServerOS
* Uncategorized
* VBScript
* Virtualisation
* Windows
Create a free website or blog at WordPress.com.
* Follow Following
* Cantoris Computing
Sign me up
* Already have a WordPress.com account? Log in now.
* * Cantoris Computing
* Customize
* Follow Following
* Sign up
* Log in
* Copy shortlink
* Report this content
* View post in Reader
* Manage subscriptions
* Collapse this bar
Loading Comments...
Write a Comment...
Email Name Website
%d bloggers like this:
Privacy & Cookies: This site uses cookies. By continuing to use this website,
you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy