In February, we published a list of domain names you should register to thwart possible Web site spoofs. The OCC www.treas.occ.gov  recently issued an advisory letter along the same lines although they didn’t spell out the specific steps you should take. (See p. 18 for the full text of OCC Alert 2000-9, dated July 19, 2000.)

The OCC letter coincided with a successful spoof on www.Paypal.com  by an alleged Russian hacker. The spoof was first identified on several Internet forums on July 20 and the spoofed site was pulled off the Web within 48 hours. Some PayPal users reported having had their accounts drained, but www.X.com  refunded the stolen money. www.X.com  quickly froze the funds in at least one of the hacker’s accounts and it is not known how much, if any, the company lost in the scam. It certainly caused quite a stir in the eBay seller’s community targeted by the scam.

While it’s impossible to prevent all spoof attacks, you can make it harder by securing the rights to all look-alike spellings of your domain name as outlined in The PayPal spoof is especially clever although easily preventable. The hacker registered a look-alike domain name, paypai.com, substituting a capital “I” for the lowercase “l” in PayPal. The beauty of this spoof is that these two letters look identical in most text fonts used in email and Web browsers. Try it yourself in your browser, type p-a-y-p-a-(capital)-I and note that it looks exactly like paypal.

We learned of the PayPal spoof a few days after it occurred while reading one of the bulletin boards for the auction-seller community. Following is the original post that first identified the spoof.

Original Bulletin Board Warning of PayPal Spoof

Date Posted: Jul/20/2000 5:46 PM

I just got the following message:

<< You've got cash!

Michael Swenson just sent you money with PayPal.

Amount: $827.46

Click here to get you new account bonus!

http://www.PayPaI.com/bonus

Did you know you can earn money with the PayPal Refer-a-Friend program? Go to http://www.Pay-Pal.com/specialoffers  for more details.

To view your PayPal balance or other account information, log in at http://www.PayPaI.com/login

If you do not wish to be notified when someone sends you money, you may edit your preferences by logging in to your PayPal account and selecting the Profile subtab.

Thank you for using PayPal, a free service of X.com! >>

Notice that the link above is paypai.com not the correct one.

The whois info (ed. note: from Network Solutions):

             << Registrant:

             Birykov Inc.

             Lenina 80

             Chelyabinsk

             South Ural

             454000

             RU

             Domain Name: PAYPAI.COM

             Administrative Contact, Billing Contact:

             Mr Vasily I Birykov

             Phone: 7-3512-128500

             Fax: 7-3512-128500

             Technical Contact, Zone Contact, Registrar:

             Easyspace Hostmaster

             Fax: +44 1932 350222

             Record last updated on 2000-07-18.

             Record created on 2000-07-18.

             Domain servers in listed order:

             NS1.EASYPOST.COM 216.167.71.20

             NS3.EASYPOST.COM 216.167.71.24 >>

Source: anandtech..com, July 20, 2000 <forums.anandtech.com/messageview.cfm?catid=45&threadid=201477>

The fake email message used the same wording as a legitimate payment notification from PayPal. The only difference was that a capital “I” was substituted for a lowercase “l” in the email. Even though recipients would have suspected a hoax, no one was actually expecting an $800 payment from a Michael Swenson, a logical thing to do would be to go directly to PayPal and make sure your account was in good order. And what faster way to do that than by clicking through the link in the email message? Unfortunately, anyone who did that was had. And they wouldn’t even have known it; because after capturing their username and password, the hacker had logged the victim into their actual PayPal account so nothing appeared out of the ordinary. Later the thief would log into PayPal using the stolen username and password and drain the account by sending payments to other PayPal accounts under the hacker’s control, then attempting to withdraw the funds from the system. For a more detailed account of the hack, read the following bulletin board posting by cottg:

Explanation of the Spoof by eBay Seller “cottg”

Posted July 23, 2000, 08:48 PM             

If you didn't read the thread at anandtech.com, let me just let you into the key to this scam. Basically, it's very simple and very, very "scary" in the sense that it is so easy for someone to be duped.

Here are the steps this scammer was taking:

1)       Set up Web site www.paypai.com  using all graphics and HTML from PayPal's site.

2)       Change login/pass form so that it writes them to a file, then passes it on to PayPal and logs you in (the                  "beauty" of it is that you DO actually log into your real PayPal account, and thus don't suspect anything).

3)       Now here's the trick... he sent out e-mails to tons of people saying "You've got cash!" With tantalizingly large amounts, like $800. It included a link to PayPaI.com  Note that it is a capital "I" and not a small "L". Note that in most fonts, they look almost identical.

4)       User unsuspectingly clicks on the link to see who this wonderful fellow is that sent them all that cash! They log in, and since it passes them on to PayPal, they don't suspect anything. It's just weird that the payment they got a message about isn't in there. Must have been a joke, they think. Little do they realize that they just gave away their login info.

Luckily, the site got taken down quickly. But the key thing to do, as Damon (ed note: a PayPal rep who answers questions on this board) said, DO NOT log into PayPal unless your address bar says "x.com" or "paypal.x.com" at the top. If possible, always go from a bookmark or by typing it in, not an e-mail link. Good thing PayPal and an active Internet community got this thing down quick, even though it is hosted in Russia! Hope nothing like this ever surfaces again, but we're bound to come across similar scams in the future.

Source: Honesty.com, 7/25/00

<otwa.honesty.com/forums/Forum16/HTML/000444.html>

Protect yourself from this particular spoof by taking the following action:

1.       If you have an “l” in your URL, make sure you register the “i” version right away. As of 7/27/00 every financial institution we checked, including Wells Fargo, Fleet, Washington Mutual, Yodlee, had yet to register the “I” versions of their URLs.

2.       If you have an “i” in your name (especially if it’s normally capitalized, as in First Interstate Bank), you should register the equivalent name with an “l.” Although not as elegant, a similar paypai.com spoof could be engineered using an all caps version of your name, substituting a lowercase “l” for the uppercase “i.”

3.       Add ABA’s SiteCertain seal to your Web. The ABA renewed its push for its SiteCertain program in light of the OCC warning. We think it’s a worthwhile effort , but it really doesn’t provide much protection against a spoof. How many users would be savvy enough to notice that the SiteCertain logo was missing from a spoofed site? Like burglar alarm stickers on your window, the SiteCertain logo provides a deterrent to potential spoofers. Hopefully, they’ll move on to someone with less protection.

4.       Prevent domain name hijacking by using the most rigorous change control procedures offered by Network Solutions or with whomever maintains your domain name registrations. Hijacking occurs when someone convinces Network Solutions to point your domain name to another server, where the hacker can mine usernames and passwords from unsuspecting customers. Often its done for the vandalism value, but it could cause a sizeable public relations and customer service headache if the hijack includes a login screen at the fake site. You might be forced to reset passwords for your entire customer base.

5.       Educate customers to be cautious when clicking through links embedded in emails.

Create an alternative backup URL and communicate it to your customers. Credit for this idea goes to everbank.com, which recently told customers to go to everbankbackup.com in case the normal URL is not available. The backup URL would be useful in any situation where the primary URL was down or overly busy. It would also provide a workaround in the case of a spoof. Even if you don’t create a back-up site, you should register the domain name “yourbankbackup.com” to prevent spoofs.