| March 18, 2009 |
 Cyber Attack: Unsolicited, Unstoppable PayPal Payments |
| By: Ina Steiner |
| Wed Mar 18 2009 22:42:14 |
 An online merchant selling digital services on his website began receiving suspicious payments into his PayPal account on Sunday. The payments came from different, bogus, email addresses. By Wednesday evening, the payments were still coming in and had reached over $8,000.
The merchant spoke to a PayPal representative by phone on Tuesday who suggested he refund the payments, but the merchant held off, afraid that would some how legitimize the transactions and leave him the responsible party.
Some transactions were red-flagged by PayPal, others were not, despite the merchant's warning to PayPal about the strange activity.
On Tuesday, he removed the PayPal Add to Cart buttons from his main pages, he said, but left them on sub-pages so he could still receive orders for his products. On Wednesday, he removed all Add to Cart buttons from all pages on his website, but the payments continued to roll in.
By Wednesday evening, he had received between 80 to 90 payments that added up to over $8,000. ("Because of the volume of activity and PayPal decreasing the amount by instigating disputes while payments are continuing to come in, I have no idea how much this will total up to," the merchant told AuctionBytes.)
Why would a scammer use stolen credit cards to send payments to a third-party website? One person we consulted who monitors eBay and online fraud suggested scammers might be trying to test the validity of credit card accounts by seeing which ones went through. But it wasn't quite convincing given the way the payments were arriving.
There were several disturbing characteristics of this attack. It appears that scammers could use bogus information (including email address, physical address, and phone number) to send payments with credit cards that were, one would conclude, compromised or stolen. In some of those cases, it seems PayPal failed to identify them as suspicious to the merchant in a timely fashion.
Here's one of the originating email addresses: Karawamawalakasaramaarsadeenaanigamalasaraysaahemalakasaraawere70@hotmail.com
The merchant reported that only 22 of the over 80 transactions were closed as of Wednesday afternoon.
PayPal spokesperson Michael Oldenburg said, "In these types of situations we recommend that customers refund the payments and report the suspicious activity by calling PayPal - just as (the merchant) did. This allows our fraud team to investigate the other accounts for possible fraudulent activity."
However, a high-volume merchant could conceivably spend an enormous amount of time trying to distinguish between legitimate and scam transactions and refunding the scam transactions in addition to reporting the problem to PayPal. In this particular merchant's case, he has also disabled the ability for buyers to order products on his site (though it hasn't stopped the payments from arriving in his PayPal account).
But as 10-year observers of online fraud of all kinds, perhaps the most intriguing puzzle of all is why we haven't been able to find similar reports of this type of incident. But we know that when one incident surfaces, they are bound to be followed by more, so keep an eye out for strange activity in your PayPal account, and keep a close eye on your credit cards!
All theories and suggestions welcome below.
|
Reading AuctionBytes Blog: Cyber Attack: Unsolicited, Unstoppable PayPal Payments |
|
Comments (30) | Permalink
|
