Dec 5, 2012 05:16 AM

Returned home today to find an email from Paypal for a payment for $199.74 to eBay seller PINZOO I never made. I didn’t click and links but it was sent to may Paypal email address and addressed me by name. All email links were shown as in .ru though. No debit’s were shown in Paypal though and no activity shown in my bank account. My guess is if I logged in to Paypal using any of the links in the email it would have attempted the charge. This one is real looking with fake links to the resolution center even.

Ebay Members Receiving Paypal Phishing Emails Addressed to their Proper Name

I’ve been observing and documenting instances of Paypal clients receiving phishing emails addressed to their real, proper names. They seem to be on the increase.

Paypal’s Suspicious Activity on Your PayPal Account? We Can Help advisory page states that a genuine email from them will contain your real first and last name or your business name, thus the greatly elevated risk involved with bogus or phishing emails which include such. In effect, rank and file members (and noted cheerleaders too) are being spearphished.

Suspicious_Activity_on_Your_PayPal_Account_20121205_640ce

I’m wondering whether Paypal may update or modify that advice, along with similar statements on their recorded telephone messages people listen to while on hold for their over-burdened customer service?

The question remains: How did the scammer/phishers obtain the names? There are only so many plausible possibilities. The two most obvious which come to mind: hacking and insider issues.

If through any fault or breach of Paypal, don’t expect anything other than cover-up and denial, as their past behavior shows. ( in case anyone was wondering , Yes! Paypal has been hacked! Many times over!)

Paypal has ignored and sought to cover up data leaks which posed very serious risk to users. They refused  to accept, examine the data or notify users of the breaches. They’ve also had at least one alleged and visually documented incident of insider fraud with members’ personal info.

In the above linked discussion thread You’ll note that one poster jokes:

“Has it ever occurred to you that it isn’t phishing but just an additional funding source for JD’s retirement package ???

But that scenario may not be too far fetched, especially in the bizzarro world landscape of ebaypal these days,  as any number of bonafide studies from across the gamut of independent, academia, security, and government sectors and over the years show. Here’s an excerpt from one of them:

Major Findings of the Insider Threat Study Report on the Banking and Finance Sector

… Major findings, which present examples of insider methods as well as means of detecting insider activities in this sector, include:

• Most of the incidents in the banking and finance sector were not technically sophisticated or complex.  They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise.   In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.
• The majority of the incidents (81%) were devised and planned in advance.  Furthermore, in most cases, others had knowledge of the insider’s intentions, plans, and/or activities.  Those who knew were often directly involved in the planning or stood to benefit from the activity.
• Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.
• Insiders in this report fit no common profile.   Only 23% held a technical position, 13% had a demonstrated interest in “hacking” and 27% had come to the attention of a supervisor or co-worker prior to the incident.
• Insider incidents were detected by internal, as well as external, individuals – including customers.
• The impact of nearly all insider incidents in the banking and finance sector was financial loss for the victim organization: in 30% of the cases the financial loss exceeded $500,000.  Many victim organizations incurred harm to multiple aspects of the organization.
• Most of the incidents (83%) were executed physically from within the insider’s organization and took place during normal business hours.

Paypal also sends their communiques with clickable links, despite the fact that not clicking them is the number 1 rule to avoid phishing. This has been a perennial issue.

They are, in practice and in fact conditioning their users to be comfortable with, and presumably, to click the links within Paypal emails. What other possible reason could there be? If they did not want people to click links, there would be none to click! Ever. This is so simple a concept it really shouldn’t even need to be stated.

So why haven’t the brainiacs at Paypal considered that? Good question. I can think of millions, if not billions of reasons.

Of course the fun never ends. Look to see a well known PayPal advisor state that having your real name on a paypal email is no assurance of authenticity.  Also paypal sending back incorrect info regarding spoof emails submitted to them  http://bit.ly/UtAA9w