A saphe Xmas

PayPal Chrismas BonusThe Xmas season is upon us, as evident by the Xmas trees appearing in shopping malls, and the Xmas promotions filling up our (e-)mailboxes. One such Xmas promo is PayPal’s (Australia). If you’ve got a PayPal account, you probably received it too. It sends you (after going through their email tracking system on http://email1.paypal.com/) to a motion sickness inducing Flash app, which allows you to scroll horizontally through their promos. Check it out (keep a bag or a bucket at hand)! I do like that scrolling effect on CoolIris, but not so much here. But that’s actually another discussion.

Check out the URL: http://122.201.77.222/paypal-offers.com.au/
You get redirected if you’d go to http://www.paypal-offers.com.au/. Is this really PayPal?
Now, go to http://www.paypal.com.au/, just to make sure you’re at a PayPal site. What, no mention of any PayPal offers or promotions?

There’s a couple of things wrong here:

First of, is it really that hard to configure a server/DNS to get paypal-offers.com.au to show the PayPal offers? Why the redirect (in addition to their email redirect through http://email1.paypal.com/)?

Second, there is no integrated marketing plan, having the PayPal offers linked from the main PP site to this offers site (as of the mailing’s date). Why have a separate and totally different address for the offers to begin with? It dilutes the brand. Why not use offers.paypal.com.au, or paypal.com.au/offers? I know, often the marketing department lives on their own little island within a company, and things outside of their island doesn’t move as fast as they would like it. Still they should have access to this sub-domain, their little corner of the PP site.

But thirdly, an unforgivable, stupendous error, the URL: an IP address,… with the domain appended (for good measure, the same page appears without the append domainname). Djezus people, this is a financial services site. PayPal must be one of the most targeted phishing sites out there. PayPal should not be spreading around these types of URLs. And I can’t verify from the main PP site that it is a PayPal controlled domain either as it isn’t an integrated campaign.

From their own Phishing Guide:

Fake Links. Many phishing emails have a link that looks valid, but sends you to a fraudulent site that may or may not have an URL different from the link. Always check where a link is going before you click. Move your mouse over the URL in the email and look at the URL in the browser. As always, if it looks suspicious, don’t click it.”

“Deceptive URLs. Be cautious. Some fraudsters will insert a fake browser address bar over the real one, making it appear that you’re on a legitimate website. Follow these precautions: Even if an URL contains the word “PayPal,” it may not be a PayPal site. Examples of fake PayPal addresses: http://83.16.123.18/pp/update.htm?=https://www.paypal.com/=cmd_login_access, www.secure-paypal.com”

Yes, I do think paypal-offers.com.au is a legitimate PayPal offers site, it does not ask for login details, though it does link to the PayPal signup page. Looking through the email’s source code does not reveal fake domains or IP addresses, all links pass through the email1.paypal.com domain. The domain is registered by PayPal Australia Pty Limited, hosted at Net Logistics in Sydney. But it is child’s play to register paypal-specials.com or whatever, show fake offers like they do here, and ask the user to login to take advantage of these offers. It is incomprehensible that an online-only, financial company like PayPal, and their marketing division, would do such a thing.

Be saphe online this Xmas!

PS: I submitted the URL to PayPal as a suspicious URL. The process is confusing, and as of now I still don’t know if my submission got through. I did not receive an (automated) email back (maybe thanking me for taking the time to submit a suspicious URL?).

2 Comments

  1. Ben Bishop · January 6, 2009 Reply

    Hey JJ, I just came across the paypal-offers site after a report from a concerned supporter. My immediate reaction was that the site looked pretty suspicious, especially when Firefox 3 reported an issue with the secure certificate. After a bit of digging around I think it’s a legit PayPal site, and they only seem to link to the partner sites, but I’ve emailed our PayPal contact for confirmation.

  2. halans · January 6, 2009 Reply

    Thanks Ben.
    Good to see I wasn’t the only one concerned about this malpractice.

    I am not getting a certificate error on that domain though (in FF3). Now the domain is on SSL only (with http redirecting to https), which might be overkill for a marketing site, the main Australian PayPal site doesn’t force SSL on http://www.paypal.com.au/, actually even the opposite going from https to http (!).
    And the SSL certificate of the offers .com.au domain is registered to the Singaporean PayPal subsidiary (which seems to be the international headquarters). But they still should clean up the original Christmas offers site at http://122.201.77.222/paypal-offers.com.au/

    Hmm, interesting.
    http://www.paypal.com/ does redirect me to https (with IP geolocation /au/ and US certificate) and https//www.paypal.com.au/ redirects me to http://www.paypal.com.au/au .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.