Discussion:
Is this normal, or are those at Paypal a bunch of clowns?
(too old to reply)
Juancho
2017-02-07 20:48:39 UTC
Permalink
So I just wasted an hour of my free time, because I got an email from
Paypal which looked suspicious, but ended up being legit.

The email itself was fine and authenticated, with an SPF result of pass,
and a valid DKIM signature -- which made it even worst and gave me the
shivers as I thought for some minutes that it wasn't just another
phising email, but that Paypal itself had been hacked! I got really
uneasy and nervous for a while with that idea on my mind.

The Paypal email contained web links to a domain I hadn't heard of
before, which looked like the typical "cousin" domain used on phising
attempts: https://epl.paypal-communication.com/

But it turns out Paypal.com really owns the "paypal-communication.com"
domain, and the suspect email is 100% legit.

What the hell!? I signed up for an account on Paypal.com, I do not know
nor do I have to know what other "cousin" domains those fuckers own and
want to use to talk to me.

Had they used the subdomain "communication.paypal.com" for the URLs
inside their email, I would have been at rest all the time!

What a bunch of clowns!
Juancho
2017-02-07 20:57:45 UTC
Permalink
Post by Juancho
So I just wasted an hour of my free time, because I got an email from
Paypal which looked suspicious, but ended up being legit.
The email itself was fine and authenticated, with an SPF result of pass,
and a valid DKIM signature -- which made it even worst and gave me the
shivers as I thought for some minutes that it wasn't just another
phising email, but that Paypal itself had been hacked! I got really
uneasy and nervous for a while with that idea on my mind.
The Paypal email contained web links to a domain I hadn't heard of
before, which looked like the typical "cousin" domain used on phising
attempts: https://epl.paypal-communication.com/
But it turns out Paypal.com really owns the "paypal-communication.com"
domain, and the suspect email is 100% legit.
What the hell!? I signed up for an account on Paypal.com, I do not know
nor do I have to know what other "cousin" domains those fuckers own and
want to use to talk to me.
Had they used the subdomain "communication.paypal.com" for the URLs
inside their email, I would have been at rest all the time!
What a bunch of clowns!
Wow! Just WOW!

It gets better by the minute!

I just got this response from ***@paypal.com declaring the email in
question is "likely fraudulent":

----------------------------------------------
Post by Juancho
Date: Tue, 7 Feb 2017 20:36:42 +0000 (UTC)
To: [REDACTED]
Subject: Thank you for reporting a fake website (KMM64085220V99774L0KM)
x-mailer: KANA Response 15.1.0.193
Dear [REDACTED],
Thank you for partnering with PayPal to combat fraudulent emails. We
take reports of suspicious email very seriously. Your submission helped
us take the appropriate action needed to protect our customers.
We analyzed your report and determined that the suspicious email was
likely fraudulent. If you haven't done so already, please delete the
original. If you believe that you were also the victim of fraud related
1. Open a new browser and type in "www.paypal.com"
2. Log in to your PayPal account.
3. Click "Security and Protection" near the top of the page.
4. Click "Identify a problem."
5. Click "I think someone may be using my account without permission."
6. Click "Unauthorized Account Activity."
If you have any other questions about PayPal security, please visit the
PayPal Security Center.
Thanks again for the report.
PayPal Security
Copyright© 2017 PayPal Inc. All rights reserved.
-----------------------------------------------------


Did I called them clowns already?
Peter H. Coffin
2017-02-08 00:08:25 UTC
Permalink
Post by Juancho
Wow! Just WOW!
It gets better by the minute!
I recommend going ahead and reporting the "fraudulent email" -- I
can't think of ANY better way to make an impression on how dumb this is.
(It's been going on long enough that I've read about it it in RISKS
already, so... Obviously they don't have anyone reading *that* that is
in any position to do something about it.)
--
Windows is a pane in the ass....
Juancho
2017-02-08 20:49:38 UTC
Permalink
Post by Peter H. Coffin
I recommend going ahead and reporting the "fraudulent email" -- I
can't think of ANY better way to make an impression on how dumb this is.
Hmm, I'm not sure I'm following you.

I already reported the suspect email (with full headers) to
***@paypal.com, and they replied back with the answer I already
posted, declaring it "likely fraudulent" (when in fact it is legit, but
certainly suspicious even to Paypal itself).

I don't blame the overworked interns behind ***@paypal.com copying and
pasting 10 replies by minute to confused users. I blame the "social
engineers" who came up with the idea of using a "cousin" domain for a
financial cloud-native company to talk to its users.

Satya
2017-02-08 08:57:16 UTC
Permalink
Post by Juancho
Post by Juancho
What the hell!? I signed up for an account on Paypal.com, I do not know
nor do I have to know what other "cousin" domains those fuckers own and
want to use to talk to me.
This is bad and wrong of them. You know why people keep falling for phishing
(besides the other obvious reason)? Because "legit" people keep pulling crap
like that.
Post by Juancho
Post by Juancho
Had they used the subdomain "communication.paypal.com" for the URLs
inside their email, I would have been at rest all the time!
What a bunch of clowns!
I was fully expecting them to tell you "it's ok, we own that domain, see how
it says 'paypal'?"

Wasn't expecting this:

[Juancho quotes Paypal:]
Post by Juancho
Post by Juancho
We analyzed your report and determined that the suspicious email was
likely fraudulent. If you haven't done so already, please delete the
Okay, now I don't know what to believe.
Post by Juancho
Did I called them clowns already?
Yes, yes you did.
Loading...