PayPal Hijacked Appears Unsafe To Use!!

 

This Scam Website "cmd-miayoa0e.com" Was Set Up 10/29/2006!

 

Yep.. Just When You Thought It Was Only eBay That Had Been Hacked, Someone Comes Along And Hacks PayPal!!

 

It Starts Out With A Spoof Email.. Yea.. Those Of Us IN THE KNOW Have Seen Dozens Of These, But Many That Are Not So Savvy Are Surly Going To Fall For This One!

 

What Is So Different With This One Is, The Scammers Are Somehow Authenticating Your PayPal Email Address And Password Capturing It On Login!

 

It Is Not Your Ordinary Run Of The Mill Phish Site!! It Not Only Asks For Your Personal Information But Upon Logging In, The Fields Are Already Populated With Your Info On File With PayPal! Your Name, Address, City, State, Zip, And Phone Number, Your Current Credit Card Number (Last 4 Visible Only) Expiration Date, CCV #, And It Even Asks For Your PIN Number, (This Is Another Clue The Site Is Bogus!)

 

If It Were Not For The Lack Of a Secure Socket Connection (HTTPS) It Would Have Fooled Me! There Is A Data Leak Somewhere In PayPal's Servers Letting A Scammer Siphon This Info Out Of PayPal Onto Their Scam Website!

 

The Screen Shots Below Show The Scam In Progress!

 

 

I Tested The Login With A Dummy Password And It Was Rejected! So I Went To PayPal And Changed My Regular Password, Then Logged Right Into The Scam Website! MY Now Changed Password Was Authenticated By PayPal's Server! NOTE There Is NO HTTPS Secure Login In Any Of These Screen Captures Below!!

 

Also Internet Explorer 7 (That I Am Slowly Getting To Like) Popped Up A Warning It Could Be A Suspicious Website!

 

 

Bingo.. There Was All My Personal Info On File With PayPal Populated Into The Field's Below!

 

DANG.. That Is Scary!!

 

 

The Whole Credit Card Number Was Not Visible, But The Correct Last 4 Digits And Expiration Date Was!

 

My Address Is Public Knowledge So I Didn't Block It Out, Just My Email And Private Phone Were Secured From View!

 

 

NOTE: It Does Authenticate The Above Financial Data Through PayPal! And Gave The Above Error When I Clicked Ad/Update Card Without Filling In The Fields!!

 

Had I Filled In The Proper Data It Might Have Went On To My Bank Account Info!

 

 

This Siphoning Technique Is Similar To This One Siphoning Your User Info Out Of eBay That We Discovered A Week Ago!

 

This Is a Serious Problem! eBay And PayPal Need To Get This Drafty BACK DOOR SHUT Before More EBAY/PAYPAL Members Are Scammed!!

 

This Security Breach STINKS As Bad As A Crappy Car Deal On eBay Motors!!

 

Is This eBay/PayPal Code Written So Sloppily That A Scammer Can Access More Of Your Financial Information Than Is Shown Above??

 

(Updated 11/04/2006) This Website Was Shut Down Rather Quickly! However, After Researching How The Scammers Were Able To Do This, I Was Told eBay Will Let Anyone Connect To Their API If They Have A Users ID And Password! This Is So 3rd Party Websites Such As Andale, Vendio, Etc, Can Submit Listings, Do Checkout, Etc. The Scammers Have Figured This Out And Are Using A Script To Connect To eBay/PayPal And Siphon Your User Data For Fraudulent Purposes!

 

Doc Feels This Information Should Be SECURE! And Anyone Accessing The API Be Authorized To Do So! Leaving The Door Wide Open Is Just Inviting Fraudulent Activity!

 

To Contact DOC: Click Here

To See Doc's NEW Blog: Click Here

To See Doc's Collection Of Scams: Click Here

To See Doc's Collection Of BUY-NOW Bandit's: Click Here

To Visit Doc's ebaymotorssucks.com Message Board: Click Here

Back to Doc's Quality Cars Archive