AuctionBytes Blog
Covering auctions, collectibles and marketplace selling.

AuctionBytes Blog The AuctionBytes Blog has been giving a voice to online merchants since its launch in 2005. Named one of the world's top 30 blogs in 2008 by "Blogging Heroes." Weigh in with your thoughts on the joys and pitfalls of selling online.
Wed Mar 18 2009 22:42:14

Cyber Attack: Unsolicited, Unstoppable PayPal Payments

By: Ina Steiner

Sponsored Link

An online merchant selling digital services on his website began receiving suspicious payments into his PayPal account on Sunday. The payments came from different, bogus, email addresses. By Wednesday evening, the payments were still coming in and had reached over $8,000.

The merchant spoke to a PayPal representative by phone on Tuesday who suggested he refund the payments, but the merchant held off, afraid that would some how legitimize the transactions and leave him the responsible party.

Some transactions were red-flagged by PayPal, others were not, despite the merchant's warning to PayPal about the strange activity.

On Tuesday, he removed the PayPal Add to Cart buttons from his main pages, he said, but left them on sub-pages so he could still receive orders for his products. On Wednesday, he removed all Add to Cart buttons from all pages on his website, but the payments continued to roll in.

By Wednesday evening, he had received between 80 to 90 payments that added up to over $8,000. ("Because of the volume of activity and PayPal decreasing the amount by instigating disputes while payments are continuing to come in, I have no idea how much this will total up to," the merchant told AuctionBytes.)

Why would a scammer use stolen credit cards to send payments to a third-party website? One person we consulted who monitors eBay and online fraud suggested scammers might be trying to test the validity of credit card accounts by seeing which ones went through. But it wasn't quite convincing given the way the payments were arriving.

There were several disturbing characteristics of this attack. It appears that scammers could use bogus information (including email address, physical address, and phone number) to send payments with credit cards that were, one would conclude, compromised or stolen. In some of those cases, it seems PayPal failed to identify them as suspicious to the merchant in a timely fashion.

Here's one of the originating email addresses: Karawamawalakasaramaarsadeenaanigamalasaraysaahemalakasaraawere70@hotmail.com

The merchant reported that only 22 of the over 80 transactions were closed as of Wednesday afternoon.

PayPal spokesperson Michael Oldenburg said, "In these types of situations we recommend that customers refund the payments and report the suspicious activity by calling PayPal - just as (the merchant) did. This allows our fraud team to investigate the other accounts for possible fraudulent activity."

However, a high-volume merchant could conceivably spend an enormous amount of time trying to distinguish between legitimate and scam transactions and refunding the scam transactions in addition to reporting the problem to PayPal. In this particular merchant's case, he has also disabled the ability for buyers to order products on his site (though it hasn't stopped the payments from arriving in his PayPal account).

But as 10-year observers of online fraud of all kinds, perhaps the most intriguing puzzle of all is why we haven't been able to find similar reports of this type of incident. But we know that when one incident surfaces, they are bound to be followed by more, so keep an eye out for strange activity in your PayPal account, and keep a close eye on your credit cards!

All theories and suggestions welcome below.




Comments (30) | Permalink

Readers Comments

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: o.c.d.collectibles

Wed Mar 18 23:07:46 2009

It would probably be a good idea to continue tweeting it on twitter, periodically, but on a regular basis so that the whole world will be aware of paypal NOT being the safest payment method around. Obviously, ebay and paypal will either be minimizing it or denying that there is a problem. My guess is that they already know about it, and it's probably not the first and only time. We just never get a chance to read or hear about it!

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: eBuyer Feedback

Wed Mar 18 23:37:37 2009

This is a very bad situation for the merchant.  Last year I had a buyer use a supposedly unauthorized card to ship to his confirmed address.  10 minutes later PayPal froze the funds and then he filed a chargeback.  I ended up having to pay PayPal their transaction fee even though I never got to touch the money.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Michael

Thu Mar 19 00:05:07 2009

Had this happen to me accept the other way. I woke up to see a $500 charge from my paypal account to a hosting company in Pakistan. It took me around 20 days to get my $500 back. It is just an unsecure network. Does anyone know if the new safety measures where you have to get a number to login works?

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: TekGems

Thu Mar 19 00:08:21 2009

> paypal NOT being the safest payment method

This happens with credit card payments as well? Last week, someone bought a digital camera using a credit card that did not belong to them. Even if it did, a customer can make a claim. There are varying levels of risk and there are tools available to analyze that risk.

There are anti-fraud tools like such as transaction velocity. If too many orders arrive from IP address or even total number of orders into an account, the rest are declined. Criminals would not know if the card was declined because of these anti-fraud measures or the card was bad. For the IP address issue, many use zombie computers as proxy servers and others use VPN services to mask their true location. You can learn a lot from the IP address, but Paypal unfortunately does not give us this information.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Claypipe

Thu Mar 19 00:13:36 2009

Me thinks its one of the BIG BOYS playing with paypal. There are others out there in the electronic payment industry. Maybe their sending paypal a message the stop acting so uppity. Your not the only bull on the hill. Sending it out to a larger merchant is also something to consider. Effect the business of the larger merchants and you effectively effect paypal.

I never trusted paypal and always thought that their boasting on how safe they were was  like the designers of the Titanic saying it was unsinkable. We all know how that ended.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: QUIDNUNC

Thu Mar 19 00:39:50 2009

I am one of the unlucky ones who is waiting for Paypal to reimburse about $900 worth of bogus charges. It started with two $30 charges that either Paypal or the recipient caught and refunded. I suggest that everyone go in and change all their passwords and codes! I don't know if the security key works but I am going to give it a try when this gets settled.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

This user has validated their user name. by: Anonymous

Thu Mar 19 00:43:06 2009

Maybe the scammer thought they were sending the bogus payments to their own Paypal account or one they had control of, but screwed up their email address and they ended up in someone elses account?
They then were probably going to buy items with the money and hope that the online merchants shipped the items before Paypal caught on?

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Claypipe

Thu Mar 19 00:45:21 2009

@@@ QUIDNUNC

Here I was thinking it was perhaps another BIG BOY. Perhaps Paypal is doing this purposely. To attract attention to their security key. Isn't there a charge for the key. Remember an old computer wiz once told me the people who make it are the people who break it. Hey you never know.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

This user has validated their user name. by: Anonymous

Thu Mar 19 00:56:16 2009

I fear that had the vendor refunded the payment that later paypal would have found the original incoming payment to be on a stolen card or fraud. Then paypal would have taken back the incoming payment and the vendor would or could have lost the refunded payment from his own legit account. I would have closed the account completely and unlinked any bank account or closed the bank account as well. SHUT IT ALL DOWN.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: avid reader

Thu Mar 19 01:00:26 2009

Is this what possibly happened? Apparently this person's email addy appeared on someone else's Paypal account *also* and the payments went to that other party.

Read both blog entries for Jan. 2009

http://www.coyoteblog.com/coyote_blog/tag/paypal
http:/
/www.coyoteblog.com/coyote_blog/tag/paypal

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

This user has validated their user name. by: Bob

Thu Mar 19 01:50:01 2009

Two words...

1) Google

2) Checkout



Anyone still using Paypal is - and feel free to flame me at will - a complete and utter moron.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: DON'T DO IT

Thu Mar 19 03:00:18 2009

Whatever you do - DO NOT REFUND THE MONEY. That is Paypal's job, not the seller. And that could backfire and cause the seller more problems.

And if this what paypal wants :
PayPal spokesperson Michael Oldenburg said, "In these types of situations we recommend that customers refund the payments and report the suspicious activity by calling PayPal - just as (the merchant) did. This allows our fraud team to investigate the other accounts for possible fraudulent activity."

That is to help paypal NOT YOU. The seller has no rights at paypal, rememeber that. So keep your mouth shut & leave then fake funds just sitting there.

and

I would ignore the activity. Don't spend it as it's not yours yet, but it's paypal's job to look for fraud not the sellers.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Ebay's Slow Death

Thu Mar 19 03:08:46 2009

That was my thought too. That, somehow PayPal got the e-mail addresses of two accounts mixed up.  Or maybe another person, probably an Ebay Seller, just signed up for a PayPal account and typed their e-mail wrong, so it was the same as the person receiving the mysterious deposits.

It is the simplest explanation.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Eddie

Thu Mar 19 03:24:52 2009

I agree with others - the payment senders have messed up. They will be using stolen/cloned cards and/or others hijacked Paypal accounts and are sending the funds to the wrong Paypal account email. Either that or they also have control over the recipients Paypal account - and they just don't know it yet!

For others, YES, the Paypal key works well, very well indeed, and it can also be used for your eBay account. It does offer an extra level of protection against potential account take overs, if you haven't got one, then get one.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: pp

Thu Mar 19 05:50:47 2009

Well it's coming upto the end of Q1

What bottom line enhancing glitches are PP going to claim,all of which will artificially boost the figures.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Clayton

Thu Mar 19 11:13:12 2009

I'm not sure what's weird about that e-mail address.  I have a friend named Brent Wamawalakasaramaarsadeenaanigamalasaraysaahemalakasaraawere

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Jo

Thu Mar 19 11:18:57 2009

Why is this second level of security not more widely advertised. This is the first I have heard about a key. It is outragerous if Paypal are going to charge for it. Now the money, sit on it and let Paypal sort it out and use some other means to accept payments. You don't want to refund it and Paypal lands you with a bill claiming it was not yours to refund.

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: 104668

Thu Mar 19 11:31:01 2009

I read the link to the original story, all I can say is that Coyote is one smart dog! To know how the problem started-years ago the two had a transaction and the email address was added to account. I wonder what triggered it now though?

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Clayton

Thu Mar 19 11:39:30 2009

I was just wondering this morning if you could scam paypal by finding big sellers who get hundreds of payments a day and signing up with e-mail addresses similar to theirs, especially if you can anticipate typos (tehshoestore or something).  I'd never try it myself but I wonder if anyone else has...

Cyber Attack: Unsolicited, Unstoppable PayPal Payments   Cyber Attack: Unsolicited, Unstoppable PayPal Payments

by: Patricia

Thu Mar 19 12:04:24 2009

Wow! This is good to know...silly me thought Paypal verified each payment coming in...guess one never assumes anything logical where Paypal/Ebay are concerned!

Click to view more comments
1 2  [Next Page]


Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.