Here we are with another example: Does anyone out there really think PP is safe? Why don't hear these things constantly from/about other payment services?
Funny part about this is that the schills did not even bother to respond. I wonder why not?
The very REAL possibility exists that paypal themselves are behind a great deal of this fraud. After all, they answer to NO ONE! They have the entire system rigged so that they can perpetrate, manipulate, dismiss and/or conceal every last bit of it. ASs we can all clearly see they are getting more desperate and mal-creative with the schemes.
"This thread has been removed 2x in just the last 15 minutes. A regular has intimated it is my ex's fault the money is gone, even though my ex does not store passwords, nor has he accessed the account in about 2 years.
There's been 7 other accounts in our area compromised in just the last month. What say you PP supporters? Or are you just going to delete this again? I already have a letter being fired off to Ina Steiner.
Bear in mind that Paypal has openly come out with behavior which is, in every way shape and form, organized crime; Racketeering. Simple as that!
Furthermore, the notion that Paypal has never been hacked is a pure LIE and FRAUD! It is a deliberately untruthful statement, contrived and executed to deceive members, shareholders and the general public and potiential members from knowing the the real dangers, continual and repeated failures of Paypal!
Here is only one striking example of Paypal being hacked. There are more, I assure you.
"A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.
The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS)...."
See that part ^ about "the genuine Paypal website"? See that part about xss?
If that's not hacking, then nothing is!
But it gets better...
Not only were they hacked for 2 years, they actually LIED and tried to cover it up!
This has been mentioned in my vids time and again, such as here and here.
So if anyone reading here posts to the thug controlled, paid shill and LIAR filled paypal forums, share those links and videos with them . I'm sure they will love it!
Here are custom tinyurls for this forum and my ebay-paypal critic video channel BTW:
Now. specifically to the issue of iTunes and paypal hacking...
It doesn't take a hacker. There is no trick.
It is a security hole "feature" big enough to float the Hindenburg through. It is part of the way PP is designed.
I don't feel like digging up all the links right now, but anyone can search for paypal itunes hacked and similar will see what I mean. There has been an epidemic of that lately. The reason: uncorrected failure with a PP 'feature'.
The end result is the same though: Paypal blames the victim! I should also say that to the victim, the technical details are not important, they still suffer a loss, get lied to, insulted, disrepected, even libeled by cheap, weaseling GANGSTERS and GOONS!
That is one reason why so many people are dedicated to exposing this criminal corp for what is TRULY is. Those paid schills will be the death of eb-pp just as much as Donahoe's schizo-lame-O brainstorms.
The 48,727 followers of the NASA Astronaut account on Twitter expect to hear about updates on astronaut activity and get some personal insight from the astronauts themselves. They probably were not expecting to be bombarded by spacemen offering to sell them plasma and LCD flat-screen TVs at bargain prices however....
Skilled malware authors have duped less skilled cybercrooks into doing their dirty work with a new phishing kit.
A "freeware" phishing kit posted onto hacker forums poses as a way to set up fraudulent websites pretending to be, for example, PayPal or webmail providers. Spam emails masquerading as security checks are then distributed to hoodwink the credulous into handing over their login credentials.
The proxy hackers will record some success, potentially stealing scores of credentials before their fake sites are taken offline. However, secret backdoor functionality in the Login Spoofer 2010 phishing kit means that the vast majority of stolen credentials are sent back to the original authors of the hacking tool, not the proxy hackers who use it.
The approach allows the original authors of the phishing kit to harvest thousands of web and payment service credentials without monkeying around with spam campaigns by delegating the spade work to their unwitting minions. The "automated, cloud-based phishing kit" was developed in Algeria and features Arabic tutorials but runs in English, database security firm Imperva reports.
A blog post by Imperva, containing screenshots of the kit and its dashboard, can be found in a blog post here.
Imperva warns that the cloud-based approach taken by the scam turns takedown efforts into a game of whack-a-mole. "Unlike previous phishing kits that have been available for years, this new approach lives in the cloud and relies on hackers exploiting other hackers," is said. "And with the new cloud-based approach, the infrastructure for this phishing kit never goes away." ®
Nothing much new to see there, but just a reminder to keep letting people know that ebay is crawling with trojans, virus and ID theft, and that it's gone uncorrected so long that it must be an inside job. Stay away from ebay it will ruin your computer and wreck your life.
Tell people that In Real Life, where ebay's army of paid astroturfers can't censor or delete. I can see by the looks on people's faces when you tell them things that they will never be using ebay or paypal. lmao!!!
Judging from ebay's falling traffic people must be getting the message.
Oh but another thing... Those hackers seem to have been pretty quiet lately eh? I wonder what they are up to?
The PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal does not properly validate orders, which allows remote attackers to trigger unspecified "duplicate actions" via unknown vectors.
Unspecified vulnerability in the PayPal Website Payments Standard functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal, when a custom checkout completion message is enabled, allows attackers to obtain sensitive information via unknown vectors.
Cross-site request forgery (CSRF) vulnerability in the order-management functionality in the Ubercart module 5.x before 5.x-1.9 and 6.x before 6.x-2.1 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
eBay is the victim of a phishing attack that uses its own compromised server, according to email filtering company Red Condor.
In an advisory published today, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a trojan that harvests their passwords and presumably carries out other malicious activities on their machines.
Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company's genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine.
In case no one was paying attention, the file JS Pdfka-OE you see mentioned in the video as being a false positive by a pink has turned out to be a genuine exploit from the looks of things.
Still, no announcement, no retraction, update, clarification... no nothing from eb? I wonder why that is? After all, it's only literally millions of people's lives potentially ruined?
I can't stress this enough, the file was and likely still is being hosted on ebay very own servers, along with the other 'security shield', which is still being found on about me pages.
PayPal says it has closed a number of security holes uncovered by an Avnet Technologies security researcher, including one that could have allowed an attacker to access PayPal's back-end system for business and premier account reports and acquire a mountain of data.
A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal's business and premier reports back-end system.
The vulnerabilities were patched recently by PayPal after security researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to the site's attention. The most critical bug was a permission flow problem in business.paypal.com, and could have potentially exposed a massive amount of customer data.
"An attacker was able to access and watch any other user's financial, orders and report information with unauthorized access to the report backend application," Goldshlager explained. "When users have a premier account or business account the transaction details of their orders are saved in the reports application an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports."
That includes information such as the PayPal buyer's full shipping address, the PayPal transaction ID of the buyer and the date and amount of transaction.
The other vulnerabilities Goldshlager found included an XSS (cross-site scripting) vulnerability affecting the paypal.com and business.paypal.com sites that an attacker could use to steal session IDs and hijack user accounts, as well as a CSRF (cross-site request forgery) bug that exposed user account information. The CSRF vulnerability impacts the IPN (Instant Payment Notification) system, a PayPal service that sends a message once a transaction has taken place.
Once IPN is integrated, sellers can automate their back offices so they don't have to wait for payments to come in to fulfill orders, Goldshlager explained.
"This CSRF exploit method exposes the same information from the buyer as the first vulnerability ... to exploit a CSRF attack that adds a Instant Payment Notification access, the attacker will make an attack that adds his own Website address to the victim account IPN settings, and when there is transaction on PayPal the victim's transaction details will be sent to the attacker's Website," he said.
Goldshlager also uncovered smaller CSRF issues, he said. He reported the bugs to the site in February. According to PayPal, nearly all the problems Goldshlager uncovered were fixed right away.
"As you know, these types of security issues are very complex and we are grateful for our strong working relationship with the security researcher as well our partnership with the security community that have brought these issues to light," a PayPal spokesperson told eWEEK in an e-mail. "We have a shared mission to make PayPal and the Internet as safe as possible for our customers."
-- Edited by budnonymous on Friday 16th of April 2010 06:46:43 AM
Pretty obvious that ebay-paypal are hacked to the gills. There are too many signs that hackers are and have been deep into the db. (like september 25th 2007 for instance roflmao!!!)
This is more than just "phishing" when they have your real name. For that matter, "simple phishing" is an ancient sport nowadays. lol.
But I also wonder just who are these creepy people on the forums who are always telling outright lies to and insulting these aggrieved consumers?
Something seems very phishy about that. It is really waaaaaaaaaaaaaaaaaaay beyond believable...
Does that seem like the sort of outfit you should trust? Is that the sort of response you should get when problems arise?
That spiffy new page look doesn't seem to be improving safety, or functionality for that matter .
Sort of like when a slumlord landlard hires , oops strike that that, I mean scams on, pimps out or freeloads on a bunch of crackheads to paint the crackhouse. Along they way they break a few windows and put holes in the roof, defecate in the kitchensink.
eBay is the victim of a phishing attack that uses its own compromised server, according to email filtering company Red Condor.
In an advisory published today, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a trojan that harvests their passwords and presumably carries out other malicious activities on their machines.
Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company's genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine.
A 20-year veteran of the military named Doug received an email on Thursday informing him that eBay had put a temporary hold on his selling account. The email instructed him to click on a link that led to eBay.com, where he verified his account. Ten minutes later, he received 29 email messages from shoppers asking questions about products that he had not put up for sale, including bicycles and exercise equipment.
After ebaY issues a statement ^^ claiming to have fixed the flaw responsible for the allowance of these redirect scams, Doc finds the very same SUV listed and redirecting again! Same exact photos, same fake VIN etc
But ebaY left that listing to run for several days, omnly pulling it on 03-16-2010. The view count was over 7K as I made the vid. Not sure the final count. But wait! There's more!
After the listing got pulled, the phake page had a frame from ebay stating the listing was closed, yet the phake STILL had a redirect to yet another phake site which had already been taken down (added to blacklist, and suspended) by FF from the looks of things.
FWIW, when I visited the phake page directly, as the listing was still active, I got redirected to ebaY's main page. There are a LOT of particularities about what we see here. More than either one of us has mentioned publicly so far. This is clearly something new.
Bottom line; The hackers are knee deep into ebaY's sphincter.
-- Edited by budnonymous on Tuesday 16th of March 2010 09:48:01 PM
Watch this response carefully. You'll see that everything which can be blocked is being blocked. You can't give the browser much less privileges. ebaY is NOT safe! Worst of all they blame the victim!
"eBay Motors is constantly and proactively monitoring the site to prevent and address possible fraudulent behavior. As part of this monitoring, eBay Motors has identified recent redirect issues and has implemented specific safety measures, including updating our detection systems with a filter to identify this particular behavior. These additional protections should supplement smart shopping habits, including reviewing seller ratings, communicating with sellers and confirming transaction details through My eBay before making a purchase, and never paying for a vehicle via instant cash-transfer methods. eBay Motors also offers free vehicle history reports and a Vehicle Purchase Protection program for transactions that occur on the site, to help ensure the 10 million visitors coming to the site each month interact in a safe, trusted marketplace."
eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay's online auction site, which eBay has fixed.
eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user's password and get access to that user's account.
The vulnerability is one of several affecting eBay that were recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with Avnet Information Security Consulting. Among the vulnerabilities are cross-site scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager uncovered a blind SQL injection problem in the eBay donations Website.
All of the vulnerabilities have been patched except the CSRF (cross-site request forgery) flaw. According to Chad Greene, eBay's senior manager of global information security, the company has pushed code to the core site to measure the impact of potential fixes for the CSRF problem on the user and will make a decision about how to address the situation in the next three weeks.
"The nature of CSRF means that there isn't a single fix that can be applied in all cases and rolling out the wrong fix could break legitimate user functionality," Greene told eWEEK in an e-mail.
According to Goldshlager, who demonstrated a proof-of-concept attack, the CSRF vulnerability can be exploited to ultimately get control of a user's account.
"When the victim visits my malicious Website I can change his password ... to any password I choose," Goldshlager explained. "I can change the user's password because I am in control of changing his primary phone and personal information details in his eBay account. An attacker can [also] change the secret question [and] answer with the cross-site request forgery vulnerability. Then he can renew the password of the user by using the 'forget password' mechanism."
In an interview, Greene said users can report any security issues they find to eBay's security center, and the site works with members of the research community to uncover any vulnerabilities.
"We work with many members of the security community as well as the security industry we like to do community outreach and educate the user base," Greene said.
Just a little reminder that the hijacked fraud auctions are still going strong on ebay. Same way as always. Same lackluster job keeping them off the site by ebay's so-called security dept.
These were all from different sellers IIRC, one single email address found in all of them.
An imminent ruling on a two-year-old hacking case involving Auction, which now enjoys a virtual monopoly in the nation's online open market after taking over Gmarket, is expected to set a precedent in many ways, not least of all about how tolerant the nation will be regarding online businesses. This ruling could make or break the future of the country's Internet business. ED.
By Park Si-soo Staff Reporter
A Seoul court is expected to make a ruling Thursday on the largest private information leakage case involving the online open market site, Auction, owned by eBay. The system was hacked into in February 2008.
The company and the authorities estimate that nearly 10.81 million or 60 percent of all registered users of Auction (www.auction.co.kr) had their private information including ID numbers, home addresses, phone numbers and even bank accounts exposed to strangers by hackers allegedly from China.
Of them, 146,000 users have taken a class action against the online auction company, each demanding between one and three million won ($880-$2,650) in compensation. Police failed to identify and catch those who penetrated the company's firewall.
What the cyber attack left behind was a long, drawn out court battle between two "victims" Auction and its affected users.
The plaintiffs tried to prove that they had sustained damage as a result of the leak, citing an increase in the number of what appeared to be fraudulent calls to their mobile phones following the incident.
Auction, which was taken over by eBay in 2001, tried to defend itself on the basis that the cyber attack and resultant information leak was an unavoidable "rite of passage" for Internet-based companies at home and abroad.
"No matter how strong a firewall may be, Internet firms are bound to be susceptible to hackers," said an Auction spokesman. "At the time of the incident, we were using a state-of-the-art firewall whose defense capability was not inferior to that of the world's most popular commercial Web sites. If the court holds us responsible, online marketplaces like Auction will lose business, in turn causing a significant impact on the IT industry in general."
The spokesman underlined, "We are also a victim."
Lim Sung-geun, a presiding judge of the case, has remained tight-lipped. Given past rulings on similar cases, however, it's very likely that Auction will be held partially liable.
In November 2008, the Seoul High Court ordered Kookmin Bank to pay 200,000 won in compensation to nearly 1,000 online clients, whose private information was leaked. LG Electronics was also ordered to pay 700,000 won to those who uploaded their private information on its recruitment Web site, whose firewall was also breached. No matter how little the compensation to each user may be, the Auction spokesman says, it could pose a grave threat to its bottom line.
"If the plaintiff wins, it's possible that the remaining 10 million people who have taken no legal action against us as yet would follow suit," the Auction spokesman said.
According to a quarterly report the company submitted to the state financial watchdog in November last year, it had capital of 108.7 billion won as of Sept. 30.
ebay is still being eaten alive with fake listings and hacked hijacked accounts. The scammers and hackers are getting more creative and harder to spot.
Viewers can look here, at the www.firejohndonahoe.com public blog, where Doc, from www.ebaymotorssucks.com has captured images of the source code of the phake login phishing page and more info. http://tinyurl.com/y9yf93e
There is also another variant of the flash manipulation exploit where the hackers can actually pop right up into your "My ebaY" page. Again, the uncorrected critical safety flaw has existed a looooong time & to the best of my knowledge still possible/and/or in use
Learn more about that by searching-reading "Watchdog Group Gives Live Demo of eBay Security Vulnerability" article on the auctionbytes site, March 2008. "Watchdog Group Gives Live Demo of eBay Security Vulnerability" article on the auctionbytes site, March 2008. http://tinyurl.com/yhsj9wa
I see someone has been very hard at work having images from this thread topic deleted from image shack. I will be replacing/reuploading them as time permits. In the meantime, if anyone wants to see any of them, contact me.
Payback is going to be issued, so keep deleting...
By: Robert McMillan - IDG News Service (San Francisco Bureau) (GM) (10 Aug 2009)
At Black Hat, researchers say these bugs could be used with null termination certificates to create undetectable man-in-the middle attacks. Find out about the new vulnerabilities found by Dan Kaminsky
LAS VEGAS -- Security researchers have found some serious flaws in software that uses the SSL (Secure Sockets Layer) encryption protocol used to secure communications on the Internet.
At the recent Black Hat conference in Las Vegas, researchers unveiled a number of attacks that could be used to compromise secure traffic travelling between Web sites and browsers.
This type of attack could let an attacker steal passwords, hijack an on-line banking session or even push out a Firefox browser update that contained malicious code, the researchers said.
continues at link... ^^^
If anyone out there cares, I have a guaranteed fix/defense for this exploit (in FF). Takes all of 10 seconds, but I won't share it publicly. Anyone who wants to know what it is can contact me.