PayPal Login : How to Sign up and Sign in securely

Discussion in 'other security issues & news' started by PJC, Jan 1, 2012.

Thread Status:
Not open for further replies.
  1. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  2. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    Hello Goodbye Department...
    Signed up last night, then went to My Account page (see 1st image).
    Clicked on the 'Complete your account setup' link and I was redirected to mp.apmebf.com.
    Norton DNS immediately blocked that page (see 2nd image)
    and WOT wasn't too happy with it either (see 3rd image).
    The Norton DNS detailed report refers to a driveby download present on that site.
    I closed the account I just opened.
    Looks a little shaky to me. :shifty:
    PayPal bad link.jpg
    PayPal blocked by Norton DNS.jpg
    PayPal flagged by WOT.jpg
     
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Uhm, is that actually an advert? As in a malicious one?
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    An advertisement?
    I don't know.
    I never actually got to that page.
    Norton DNS blocked it, and that coupled with WOT and a couple past experiences with PayPal was all I needed to leave.
    I did send feed back to PayPal, and I see now that the requested URL is not found on that server.
     
  5. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I meant the box on your original screenshot, I think that's an advertisement you clicked on, not actually part of the site?
     
  6. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    I clicked on the 'Complete your account setup' link, the link that I circled...
    on the My Accounts page.
    Is that the box you are referring to?
     
  7. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Yup, is that definitely part of the site and not actually an ad?
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    Definitely part of the site.
    If you had the time and felt like trying it for yourself, go to the PayPal page and open a new account.
    Just give them fictitious info.
    You'll never leave the PayPal site, then go to My Accounts and see the link I have circled.
    Edit in: If you do try it yourself, I'd love to see what you come up with.
    And if that is an ad, and not part of the set up process, it is well disguised and misleading as can be.
     
  9. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,979
    Location:
    Eastern PA, USA
    I gave it a try and the link you have circled resolved for me to another area of the -https://www.paypal.com- domain, nothing at all about this "-mp.apmebf.com-" site that you wrote of.

    Note I started this whole process from -https://www.paypal.com-. It's not clear to me exactly where you started from, Page42.

    It looked all legit in my case and neither NIS2012 nor OpenDNS threw a flag.

    P.S. - out of curiosity, I opened IE in Sandboxie and put in that URL you wrote of and, of course, NIS2012 totally blocked access as it did for you.
     
    Last edited: Jan 19, 2012
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    Hello crofttk,

    Yes, I definitely accessed thru https://www.paypal.com.

    Because my curiosity was growing, I opened another account and kept careful watch on where I was and what I was clicking on... which it's fair to say I did the first time, but I paid very close attention.

    And as I PM'd another member... I was definitely on the PayPal site and I clicked on the same link (as is circled in the 1st image) and got redirected once again. And Norton blocked it.

    I then flushed DNS cache and tried with Comodo Secure DNS and the page was not blocked, so I got to go to the next account settings page (that Norton blocked), and I could see even more indicators that the page was for account settings, and not an ad, as has been suggested. There was no sign of mp.apmebf.com.

    Here is the clickstream I followed -->

    • paypal.com
    • sign up
    • Personal - Get started
    • Skip 'Use your account instantly', go to bottom of the page
    • Go to my Account Overview
    • takes you to the page I posted in the 1st screen capture
    • click on 'Complete your account setup'

    So, is Norton seeing something that Comodo isn't?
    Is it a false positive?
    WOT seemed to think it wasn't a FP.
     
  11. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,979
    Location:
    Eastern PA, USA
    When I click "Get Started" under Personal, I land on a page for filling in email, password, etc and ending with "Agree and Create Account".

    Did you just omit that one from your clickstream?

    After I agree and create account, I got a screen for entering payment methods and on that screen I had a link below to go to my account (I didn't fill out any fields) and that's how I land on the screen you posted with the circled link.

    I agree flushing DNS cache would be a prudent step.

    It's a bit late for me now and I have work tomorrow.

    I may be able to follow up further tomorrow night unless someone else can clarify.
     
  12. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    @Page42
    Did you carry out this process over normal connections, use a proxy, use a VPN?
    Was wondering if your "location" triggered the malicious domain inclusion?
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    Yes, I suppose so... for the most part, I didn't try to list the pages I landed on, I listed what I clicked on each page I visited. :)
    Yes, over normal connections.
    As for your reference to location possibly triggering the malicious domain inclusion, that sounds a lot like malware being delivered to a specific location source, or malware being based on geoIP.
    Is that what you mean?
    I remember a pretty cool thread that touched on that sort of threat, about 1½ years ago. Vlk from avast showed up on that thread and suggested,
    Looking around the net, I'm beginning to find a lot of search results for "mp.apmebf.com and PayPal".

    One such from the WOT forum, a guy logs out of PayPal and is redirected to Mp.apbebf.com

    Another Google search result reveals a blog that refers to mp.apmebf.com as a 'widget hostname' that, along with many other similar hostnames, is included in such mainstream media websites as Washington Post, USA Today & TechCrunch.
    One search result produced a reader comment from: hhhobbit, who wrote,
    I don't think I agree with hhhobbit, but I'm trying to keep an open mind.

    The thing is, I am only seeing this blocking from Norton DNS. Other services like Google, Open and Comodo see no problem. WOT, otoh, throws up its warning, just like the forum poster I referenced above.
     
    Last edited: Jan 20, 2012
  14. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Yes. Hack the hackers, attacks on the smart people kind of thing. Because the smart people tend to have a different emphasis on security enhancements than most people, so require extra work to ensnare.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,961
    Location:
    USA
    If it's an attack on smart people, I don't have to worry about being attacked. :cautious:
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not that it matters, but mp.apmebf.com belongs to ValueClick, which is an ads/tracking company.

    Most likely, at some point, very recently, one of their servers got compromised, and Norton detection systems that provide the ratings to Norton SafeWeb, from where Norton DNS gets the info, found something, hence the reason why Norton DNS was blocking it. That's my take on it, anyway.

    It wouldn't be the first time it happened.

    What I don't get is, and hopefully I didn't miss the information, does Paypal have a deal with a third-party tracking system, when users are on their accounts? o_O

    Anyway, there's a good reason why I block ads and trackers.

    I'm not sure if this was a direct attack against PayPal users, though? Or, just a coincidence?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.