Warning to Freepers - Paypal scam

my email | self

[I still care]

Just a warning to Freepers never to give out your credit card numbers or passwords to people who send you email! I got this in my email yesterday.

---

Dear PayPal Customer

  PayPal is currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and placed on Limited Access status. Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.

To restore your account to its regular status, you must confirm your email address by logging in to your PayPal account using the form below:

Email Address:

Password:

Bank Account
Enter Bank Account #:

[I still care]

Obviously I called up paypal and sent them a copy. Yes, it is someone trying to rob me blind. And they told me several people were foolish enough to fill the form in. So be aware!

[Buffalo Bob]

Thanks, from a recent joiner of PayPal...

[js1138]

PayPay gets a lot of grief, but in three years I have had no serious trouble. They and eBay allow my daughter to make some serious college spending money, enough to buy most of her clothes.

[W04Man]

You know, I got the same thing in an email, twice. I ignored the first one, but sent the second one to PayPal to ask if it was legit. PayPal never answered me and I used the PayPal site contact form. Still no answer.

[PJ-Comix]

Maybe the Nigerians are getting few results with their old e-mail scam and are trying something newer and sneakier.

[I still care]

I called paypal direct. They told me 1) it wasn't theirs and 2)They were prosecuting them. He asked me to send them the headers.

[texasbluebell]

I got the same email months ago. I sent it on to paypal and they wrote back that they never contact anyone asking for this information.

So beware!

[KneelBeforeZod]

This is happening with magazines too. Some magazine clearing houses got subscriber lists... I'm not sure if they will really renew the magazines or not. I

so keep an eye out for that too...especially if you have 5 or more mo. left on your subscription.

[Boundless]

> He asked me to send them the headers.

Might I suggest you post them here as well.

Many of us run our mailers configured to show header
detail. It would be useful to know what to watch out
for. It wouldn't hurt to spam-block that sender.

[Library Lady]

Is this scam being done in the name of eBay, too? I got a similar message from them saying:

Recently we attempted to authorize payment from your credit card we have on file for you, but it was declined. For security purposes, our system automatically removes credit card information from an account when there is a problem or the card expires.

Please resubmit the credit card, and provide us with new and complete information. To resubmit credit card information via our secure server, click the following link:

http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn

This is the quickest and easiest method of getting credit card information to us. Using the secure server will ensure that the credit card will be placed on account within 24 hours.

Copyright 1995-2002 eBay Inc.

All Rights Reserved. Designated trademarks and brands are the property of their respective

I wrote back to tell them that I had not bought anything lately and they have no business authorizing payment from my credit card. I suspect this was not from eBay.

[I still care]

Here are the partial headers. I can't post all of it, because it obviously has MY email address in it too!

Return-Path: Received: from local ([24.131.159.81]) by mta001.verizon.net

[brityank]

Here's the trace for [24.131.159.81] -- looks like it's a faked header.

---

NeoTrace Trace Version 3.25 Results
Target: 24.131.159.81
Date: 3/13/2003 (Thursday), 17:54:40
Nodes: 23


Node Data
Node Net Reg IP Address Location Node Name
23 1 1 24.131.159.81 Unknown c-24-131-159-81.mw.client2.attbi.com


Packet Data
Node High Low Avg Tot Lost
23 237 237 237 1 0


Network Data
Network id#: 1

OrgName: AT&T Broadband Midwest-Detroit
OrgID: ATBD
Address: 27 Industrial Ave
City: Chelmsford
StateProv: MA
PostalCode: 01824
Country: US

NetRange: 24.131.128.0 - 24.131.191.255
CIDR: 24.131.128.0/18
NetName: ATBD-1
NetHandle: NET-24-131-128-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS4.ATTBB.NET
NameServer: NS5.ATTBB.NET
NameServer: NS6.ATTBB.NET
Comment: For abuse contact abuse@attbi.com
RegDate:
Updated: 2002-02-22

TechHandle: ZM117-ARIN
TechName: ATT Broadband
TechPhone: +1-978-244-4020
TechEmail: ipadmin@attbb.net

OrgTechHandle: ZM117-ARIN
OrgTechName: ATT Broadband
OrgTechPhone: +1-978-244-4020
OrgTechEmail: ipadmin@attbb.net

ARIN WHOIS database, last updated 2003-03-12 20:00


Registrant Data
Registrant id#: 1
NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
Data in VeriSign's WHOIS database is provided by VeriSign for information
purposes only, and to assist persons in obtaining information about or related
to a domain name registration record. VeriSign does not guarantee its accuracy.
By submitting a WHOIS query, you agree to abide by the following terms of use:
You agree that you may use this Data only for lawful purposes and that under no
circumstances will you use this Data to: (1) allow, enable, or otherwise support
the transmission of mass unsolicited, commercial advertising or solicitations
via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
electronic processes that apply to VeriSign (or its computer systems). The
compilation, repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to use
high-volume, automated, electronic processes to access or query the WHOIS
database. VeriSign reserves the right to terminate your access to the WHOIS
database in its sole discretion, including without limitation, for excessive
querying of the WHOIS database or for failure to otherwise abide by this policy.
VeriSign reserves the right to modify these terms at any time.



The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available as is, and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.


Organization:
AT&T Corp.
Corporate Administrator
32 Avenue of the Americas
New York, NY 10013
US
Phone: 908-221-5578
Fax..: 908-221-5581
Email: no.email.here@att.com

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: ATTBI.COM

Created on..............: Tue, Oct 02, 2001
Expires on..............: Sat, Oct 02, 2004
Record last updated on..: Mon, Apr 01, 2002

Administrative Contact:
AT&T Corp
Legal Demands Center
183 Inverness Drive West
Englewood, CO 80112
US
Phone: 800-871-6298
Fax..: 720-267-2794
Email: abuse@ATTBI.COM

Technical Contact, Zone Contact:
AT&T Corp.
William Holland
8372 E. Broad Street
Reynoldsburg, OH 43068
US
Phone: 614-501-2720
Fax..: 614-501-2702
Email: william.h.holland@att.com

Domain servers in listed order:

NS1.ATTBI.COM 204.127.198.4
NS2.ATTBI.COM 216.148.227.68
NS6.ATTBI.COM 63.240.76.4
NS5.ATTBI.COM 204.127.202.4

Register your domain name at http://www.register.com


The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than VeriSign.
_____
NeoTrace Copyright ©1997-2001 NeoWorx Inc

---

[Cicero]

It seems to be genuine e-bay. But don't take my word for it.

[Library Lady]

Well, if it is, wonder why they are trying to authorize payment from my credit card account? In fact, I'm not sure I ever gave them that information. I use PayPal. Something is not right here.

[Hardcorps]

This is NOT Ebay. I received the same email last month and sent it to Ebay. Ebay will never ask for that type of information. Apparently this scammer is picking up email addresses from Ebay users that use their email addy as their user name (like me).

[kstewskis]

thanks for the heads up from a very frequent PayPal and eBayer!

[packrat35]

It is NOT from eBay. EBay asks anyone who gets these kind of mailings to forward them to spoof@ebay.com.

If you ever need to change anything on PayPal or eBay, go to their site and do NOT use any link in email.

[Poohbah]

I replied to one of these emails with a forged header indicating my name was:

"Deeyenda Maddick."

[Jhoffa_]

This should be punishable by death you know..

[EllaMinnow]

Somebody is doing this with ebay, too. I got an email asking for my password so they can "upgrade security."