PSA: Paypal Phishing
 

Just saw a fairly clever phishing that could've fooled the average person

sender's name: service@intl.paypal.com

sender's E-mail yerros@cloudgrwark.onmicrosoft.com

It says it's a confirmation that some (random E-mail) was just added to your PayPal account...if you didn't add this, let them know right away and it prompts you to login, on of course a 3rd party site that looks like paypal. The Email has identical log and font as the real thing.

If you don't have 2-factor activated on your Paypal account, you're a fool.

2FA EVERYTHING!

so you have to add a sms pin each time you log in? sounds like a hassle...if current paypal is as secured as my online banking then I'm not too concerned...esp if it's only tied to a CC and not to chequing/savings account.

Anyone else get spammed with paypal phishing emails twice a day?+

Please explain this 2 factor sorcery

I imagine it's a 2-step login.

If it's anything like the banks, the first page is the login with username and the second page will have a special phrase and/or photo that you've selected or been assigned so you know it's legit before you submit your password.

No.

2-factor authentication is a method that provides identification of users by means of the combination of two different components.
Two-factor authentication is used to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset.

In the case of my bank, I provide a card and a PIN when using the ATM.
In the case of paypal, I provide a password and a one-time-use code SMSed to me.
In the case of my Gmail, I provide a password and code from the Authenticator app (time based, new code every 30 seconds).
In the case of my work PC, I provide a password and I must plug in a special USB stick.

Thanks Wikipedia :p

This way, if I was successfully phished and I entered my password on the phishy site, the phishers could not trigger the SMS and could not gain access to my account.

However, it is theoretically possible that:
Phishers could have created an API to immediately take my information that they just phished and push it to a real Paypal login page
Use it to trigger the SMS
Wait for my subsequent entry of the one-time code
Use their access to my paypal account to immediately drain funds OR turn off 2-FA

Oh! But A510! That sounds like a hassle!
Remember the fappening? Could have been prevented with 2-FA

Oh, so like CRS said it's a 2 step login.

Yes, but the method he mentioned is not 2-FA.

The display of a recognised image or phrase is not an active security measure and many financial institutions are phasing them out right now. Mine will actually turn them off on January 25th.

It does not actively interject into the login process. A user can simply blunder by the "security measure."
It can be replicated by a phisher using a simple iframe.

Two-Factor Authentication significantly increases the difficulty of unauthorized access. Normally, authentication is based on a password, which is something you know. 2FA adds another level of security by requiring something you have, like an authenticator, smartcard, or even email.

i've noticed that they're getting better at making things look legit

i ignore most of my emails though, even the most-likely legit ones from my bank :fuckthatshit:

i remember the very first few attempts at email scams were so pathetic, i wanted to find the sender and personally laugh in his face

I know where you bank :dizzy:. Lol! Unless other banks are doing the same.

I guess I've been lucky with Paypal over the 10 years I've used it. Unless their servers get hacked I'm feeling pretty safe. I don't see any other way it can happen as I don't respond to any emails that weren't instigated by me. If it's really important they know how to get a hold of me.