Paypal scam?

[pertusis1]

I am not sure if this is the best forum to post this in, but I have just come across a perplexing fraudulent website. Today, I tried to log onto eBay.com. I did not get there by a website, merely typing 'ebay.com' into Safari.

When I put my login information in, it directed to a restore account page. Stupidly, I entered the requested extensive information. When it gave me an error message, I looked at the web address bar, which showed that the website was NOT secure. I called Paypal, who told me that I had not attempted to login to ebay or paypal at all today (which confirms that the initial login site was bogus). At first, I thought it was perhaps a typo on the web addresss, but I tried going to ebay and paypal again, and each time I was directed to a bogus website.

Has anyone else encountered this? I was on Safari at the time, and even downloaded Firefox, which did exactly the same thing.

Can anyone tell me how to troubleshoot this? At first, I thought it was likely a virus/cookie, but it's hard to see how this could have affected Firefox (no imported preferences) on the first time I used it.

For what it's worth, I do use VMware fusion with McAfee antivirus on the Windows side.

 

[AdrianK]

It could be a redirection via DNS. Try pining ebay via the terminal and enter the IP address it gives you in a browser and see if it directs you to the bogus site.

 

[Huntn]

This could be a start: netsecurity.about.com

“Your computer has a hidden system file called the Hosts file. This file can be used to hard code domain name translations and direct you to a different site. Normally if you try to visit paypal.com your computer sends the request to a DNS server which lets your computer know what the IP address of that domain name is so that your request can then be forwarded to the right server. The Hosts file supercedes DNS so by adding an entry in the Hosts file with the domain name “paypal.com” and a different IP address your computer can be redirected. Rather than being sent to the true paypal.com server your request will go to the address specified in the Hosts file.”

I assume this is happening on Windows... or is it Mac? I'd like to know so I can decide which MacRumor Guide to put this info in. I use a Netcraft Toolbar in Firefox which shows the safety of web sites. I also found this Microsoft link:Reset Host Files Back to Default. Make sure it's not a phishing site.

And just as a FYI Firefox already has phishing protection installed and turned on by default, but a quick check showed that I did not have "block reported web forgeries" checked.

 

[pertusis1]

Oddly enough

OK, so I tried traceroute via the Network Utility to:

ebay.com

Traceroute has started…

traceroute to ebay.com (46.182.3.20), 64 hops max, 72 byte packets

** note that 46.182.3.20 takes me directly to the bogus site

EDIT: this is happening on a Mac. Not sure which discussion forum it belongs in.

 

[pertusis1]

This could be a start: netsecurity.about.com



I assume this is happening on Windows... or is it Mac? I'd like to know so I can decide which MacRumor Guide to put this info in. I use a Netcraft Toolbar in Firefox which shows the safety of web sites. I also found this Microsoft link:Reset Host Files Back to Default. Make sure it's not a phishing site.

And just as a FYI Firefox already has phishing protection installed and turned on by default, but a quick check showed that I did not have "block reported web forgeries" checked.

Thanks for the interesting post. Oddly, on multiple computers in my house, it does the same thing. I'm starting to wonder if I'm losing my mind. I would be very interested if anyone else has tried plugging in the DNS # above yet.

 

[pertusis1]

another tidbit

OK, oddly, if I access ebay via my iPhone on the AT&T 4G network, I still get a non-functional ebay site. However, if I go to the mobile ebay site, it seems to work fine.

Note that I did reset the host file, which didn't seem to make a difference.

Also, ebay sent me an email (which hotmail 'trusts'). When I try to follow the link to pay for the item (either in OSX or Windows 7), I get a message that ebay's certificate is not trusted because the website does not match the certificate.

still puzzled...

 

[Huntn]

OK, oddly, if I access ebay via my iPhone on the AT&T 4G network, I still get a non-functional ebay site. However, if I go to the mobile ebay site, it seems to work fine.

Note that I did reset the host file, which didn't seem to make a difference.

Also, ebay sent me an email (which hotmail 'trusts'). When I try to follow the link to pay for the item (either in OSX or Windows 7), I get a message that ebay's certificate is not trusted because the website does not match the certificate.

still puzzled...

So the question is how and why are you being directed to a fake site? This happens when you type in http://www.ebay.com and http://www.paypal.com?

When I type these in, on my Mac using Firefox, the beginning of the url includes a green PayPal with a locked lock icon and if I move my mouse over it, says verified by Verisign, the http turns into "https" representing a secured connection. This is before I sign in. However when I type in the ebay url, it does not show these things.

I wonder if there is something up with your service provider, ATT? Do you have an internet provider at home? Does it happen there when accessing with a laptop/desktop?

Please verify if this is happening on MacOS or Windows or is it just with iOS? Thanks.

 

[pertusis1]

So the question is how and why are you being directed to a fake site? This happens when you type in http://www.ebay.com and http://www.paypal.com?

When I type these in, on my Mac using Firefox, the beginning of the url includes a green PayPal with a locked lock icon and if I move my mouse over it, says verified by Verisign, the http turns into "https" representing a secured connection. This is before I sign in. However when I type in the ebay url, it does not show these things.

I wonder if there is something up with your service provider, ATT? Do you have an internet provider at home? Does it happen there when accessing with a laptop/desktop?

Please verify if this is happening on MacOS or Windows or is it just with iOS? Thanks.

Yesterday, it happened in both OSX and Windows 7, as well as on my iPhone. The phone connected through ATT, but my home computers were through an entirely different wireless carrier. I am going to mess with it more tonight, but have not had a chance yet.

In the end yesterday, I found that if I went to ebay's mobile website on my iphone, this site was secure and worked properly.

----------

I did type in the DNS number posted above, and when I'm on a work computer, it directs me to the bogus eBay page. However, if I type in 'ebay.com', while at work it takes me to the correct page.

 

[pertusis1]

bump

aha! I called a friend of mine who knows more about this stuff, and he immediately identified the problem. My internet service provider had been hacked. I thought my phone was misdirecting, but I erroneously had it on wifi, not 4G (ATT). Thus, what all of my computers had in common was the internet service provider. Once I changed my DNS, everything fixed itself. I'll have to call my ISP to tell them that they have a problem.

 

[pertusis1]

DNS spoofing

Well, I have learned a lot. As it turns out, the DNS that my ISP uses was hacked in a method called DNS spoofing. I called them, and they thanked me profusely for the heads' up. Never heard of this before, but it was a lesson that it's ALWAYS worth checking for that little padlock at the top of the browser.

I guess that wraps up this thread.

 

[MICHAELSD]

Well, I have learned a lot. As it turns out, the DNS that my ISP uses was hacked in a method called DNS spoofing. I called them, and they thanked me profusely for the heads' up. Never heard of this before, but it was a lesson that it's ALWAYS worth checking for that little padlock at the top of the browser.

I guess that wraps up this thread.

Which ISP wouldn't notice this breach...?

 

[Xerotech]

Well, I have learned a lot. As it turns out, the DNS that my ISP uses was hacked in a method called DNS spoofing. I called them, and they thanked me profusely for the heads' up. Never heard of this before, but it was a lesson that it's ALWAYS worth checking for that little padlock at the top of the browser.

I guess that wraps up this thread.

Your entire ISP. That is seriously ridiculous, i hope they give you free service for a life time.

 

[Huntn]

aha! I called a friend of mine who knows more about this stuff, and he immediately identified the problem. My internet service provider had been hacked. I thought my phone was misdirecting, but I erroneously had it on wifi, not 4G (ATT). Thus, what all of my computers had in common was the internet service provider. Once I changed my DNS, everything fixed itself. I'll have to call my ISP to tell them that they have a problem.

Well, I have learned a lot. As it turns out, the DNS that my ISP uses was hacked in a method called DNS spoofing. I called them, and they thanked me profusely for the heads' up. Never heard of this before, but it was a lesson that it's ALWAYS worth checking for that little padlock at the top of the browser.

I guess that wraps up this thread.

Holy ****! How did you change your DNS? In Firefox I'm using Netcraft Toolbar, World IP and Trust My Web to identify fake sites.

 

[pertusis1]

Holy ****! How did you change your DNS? In Firefox I'm using Netcraft Toolbar, World IP and Trust My Web to identify fake sites.

System preferences... Network... Advanced... DNS...

hit the + in the left lower side of the window, and add a new DNS. Apparently a lot of people use 8.8.8.8, which is a google public DNS and rarely has problems. I used another public DNS, but there are lots available.

The sad thing is that Safari DID identify that the site did not have a valid certificate, but I just didn't notice that the padlock was not there. I'm kicking myself, but perhaps I should get an add-on to actually warn me about these sites.

 

[Huntn]

System preferences... Network... Advanced... DNS...

hit the + in the left lower side of the window, and add a new DNS. Apparently a lot of people use 8.8.8.8, which is a google public DNS and rarely has problems. I used another public DNS, but there are lots available.

The sad thing is that Safari DID identify that the site did not have a valid certificate, but I just didn't notice that the padlock was not there. I'm kicking myself, but perhaps I should get an add-on to actually warn me about these sites.

How would changing the DNS on your computer fix an issue residing at the ISP level? Not doubting, just want to understand. Thanks!

 

[nowlan1]

How would changing the DNS on your computer fix an issue residing at the ISP level? Not doubting, just want to understand. Thanks!

That doesn't change the DNS on your computer. It changes where your computer gets it's DNS information from. Changing it away from your ISP will fix it After you clear the DNS cache on your computer.

 

[Huntn]

That doesn't change the DNS on your computer. It changes where your computer gets it's DNS information from. Changing it away from your ISP will fix it After you clear the DNS cache on your computer.

Is there a disadvantage from steering away from you ISP for DNS info?
Thanks!

 

[pertusis1]

Just a quick follow up note that I pulled out my old ipad, and sure enough The problem was still not fixed on the DNS. I manually changed the DNS to 8.8.8.8 and cleared the safari cache. Problem solved.

Still hard to believe my ISP let this happen, and that it is still not fixed.

----------

Is there a disadvantage from steering away from you ISP for DNS info?
Thanks!

I'm not sure. Would be interested in the answer though.

 

[nowlan1]

Just a quick follow up note that I pulled out my old ipad, and sure enough The problem was still not fixed on the DNS. I manually changed the DNS to 8.8.8.8 and cleared the safari cache. Problem solved.

Still hard to believe my ISP let this happen, and that it is still not fixed.

----------



I'm not sure. Would be interested in the answer though.

I don't think there is any disadvantage except that the server you choose to use might be further away. In googles case they have plenty of bandwidth so it's not an issue.