Discussion in 'other security issues & news' started by PJC, Jan 1, 2012.
PayPal Login : How to Sign up and Sign in securely
Hello Goodbye Department...
Signed up last night, then went to My Account page (see 1st image).
Clicked on the 'Complete your account setup' link and I was redirected to mp.apmebf.com.
Norton DNS immediately blocked that page (see 2nd image)
and WOT wasn't too happy with it either (see 3rd image).
The Norton DNS detailed report refers to a driveby download present on that site.
I closed the account I just opened.
Looks a little shaky to me.
Uhm, is that actually an advert? As in a malicious one?
I don't know.
I never actually got to that page.
Norton DNS blocked it, and that coupled with WOT and a couple past experiences with PayPal was all I needed to leave.
I did send feed back to PayPal, and I see now that the requested URL is not found on that server.
I meant the box on your original screenshot, I think that's an advertisement you clicked on, not actually part of the site?
I clicked on the 'Complete your account setup' link, the link that I circled...
on the My Accounts page.
Is that the box you are referring to?
Yup, is that definitely part of the site and not actually an ad?
Definitely part of the site.
If you had the time and felt like trying it for yourself, go to the PayPal page and open a new account.
Just give them fictitious info.
You'll never leave the PayPal site, then go to My Accounts and see the link I have circled.
Edit in: If you do try it yourself, I'd love to see what you come up with.
And if that is an ad, and not part of the set up process, it is well disguised and misleading as can be.
I gave it a try and the link you have circled resolved for me to another area of the -https://www.paypal.com- domain, nothing at all about this "-mp.apmebf.com-" site that you wrote of.
Note I started this whole process from -https://www.paypal.com-. It's not clear to me exactly where you started from, Page42.
It looked all legit in my case and neither NIS2012 nor OpenDNS threw a flag.
P.S. - out of curiosity, I opened IE in Sandboxie and put in that URL you wrote of and, of course, NIS2012 totally blocked access as it did for you.
Yes, I definitely accessed thru https://www.paypal.com.
Because my curiosity was growing, I opened another account and kept careful watch on where I was and what I was clicking on... which it's fair to say I did the first time, but I paid very close attention.
And as I PM'd another member... I was definitely on the PayPal site and I clicked on the same link (as is circled in the 1st image) and got redirected once again. And Norton blocked it.
I then flushed DNS cache and tried with Comodo Secure DNS and the page was not blocked, so I got to go to the next account settings page (that Norton blocked), and I could see even more indicators that the page was for account settings, and not an ad, as has been suggested. There was no sign of mp.apmebf.com.
Here is the clickstream I followed -->
Personal - Get started
Skip 'Use your account instantly', go to bottom of the page
Go to my Account Overview
takes you to the page I posted in the 1st screen capture
click on 'Complete your account setup'
So, is Norton seeing something that Comodo isn't?
Is it a false positive?
WOT seemed to think it wasn't a FP.
When I click "Get Started" under Personal, I land on a page for filling in email, password, etc and ending with "Agree and Create Account".
Did you just omit that one from your clickstream?
After I agree and create account, I got a screen for entering payment methods and on that screen I had a link below to go to my account (I didn't fill out any fields) and that's how I land on the screen you posted with the circled link.
I agree flushing DNS cache would be a prudent step.
It's a bit late for me now and I have work tomorrow.
I may be able to follow up further tomorrow night unless someone else can clarify.
Did you carry out this process over normal connections, use a proxy, use a VPN?
Was wondering if your "location" triggered the malicious domain inclusion?
Yes, I suppose so... for the most part, I didn't try to list the pages I landed on, I listed what I clicked on each page I visited.
Yes, over normal connections.
As for your reference to location possibly triggering the malicious domain inclusion, that sounds a lot like malware being delivered to a specific location source, or malware being based on geoIP.
Is that what you mean?
I remember a pretty cool thread that touched on that sort of threat, about 1½ years ago. Vlk from avast showed up on that thread and suggested,
Looking around the net, I'm beginning to find a lot of search results for "mp.apmebf.com and PayPal".
One such from the WOT forum, a guy logs out of PayPal and is redirected to Mp.apbebf.com
Another Google search result reveals a blog that refers to mp.apmebf.com as a 'widget hostname' that, along with many other similar hostnames, is included in such mainstream media websites as Washington Post, USA Today & TechCrunch.
One search result produced a reader comment from: hhhobbit, who wrote,
I don't think I agree with hhhobbit, but I'm trying to keep an open mind.
The thing is, I am only seeing this blocking from Norton DNS. Other services like Google, Open and Comodo see no problem. WOT, otoh, throws up its warning, just like the forum poster I referenced above.
Yes. Hack the hackers, attacks on the smart people kind of thing. Because the smart people tend to have a different emphasis on security enhancements than most people, so require extra work to ensnare.
If it's an attack on smart people, I don't have to worry about being attacked.
Not that it matters, but mp.apmebf.com belongs to ValueClick, which is an ads/tracking company.
Most likely, at some point, very recently, one of their servers got compromised, and Norton detection systems that provide the ratings to Norton SafeWeb, from where Norton DNS gets the info, found something, hence the reason why Norton DNS was blocking it. That's my take on it, anyway.
It wouldn't be the first time it happened.
What I don't get is, and hopefully I didn't miss the information, does Paypal have a deal with a third-party tracking system, when users are on their accounts?
Anyway, there's a good reason why I block ads and trackers.
I'm not sure if this was a direct attack against PayPal users, though? Or, just a coincidence?