The Crazy Rants of Samantha BurnsWarning: PayPal Scams and other Bank Scams
This is an article MR.BIG, my techie, wrote a long time ago, but deserves another look as an informative measure. I'm revisiting it because I've been getting an awful lot of those fake paypal scams telling me they have received "unusual activity" on my account, and I'm sure some of you have gotten this bull-story, too.
Article contributed by MR.BIG
Every other day or so, I receive an e-mail from someone claiming to be PayPal or another bank of some variety.
Of course, each e-mail wants me to immediately click on the link and enter my username and password to promptly verify that information is correct due to lost records on their part, or to validate a recently large sum of cash deposited into my account, or other such ridiculous reasons.
Now the scam pages are usually easy to spot.
Basically, if you click on the link, it will show you the actual URL you will be directed in the address bar. For example, this is a fake http://www.paypal.com/ link. If you clicked on the link you'd be directed to visit Oprah's poop. If I had been a nasty evil person, I could have made that webpage look exactly like PayPal's website. If you were fooled, you might enter in your PayPal username and password which I would promptly abuse for evil deeds.
Okay, so you are wise and smart to this trick? No one is going to fool you because you look at that address bar to tell if the website is a fake or the real McCoy. Not so fast wise-guy; you could still be fooled. Take a look at this fake PayPal URL from MSIE: https://www.paypal.com/. This does not go to the real PayPal website. Pretty neat trick, huh? Not if I were an evil person trying to scam you. This webpage does not include a valid PayPal forgery fortunately, but it could have very easily.
This is all due to Internationalizing Domain Names in Applications (IDNA). Basically, there are international characters that look almost exactly like the normal latin characters to which we are all familiar.
Even the writers of the RFC specification, warned that this might happen:
When systems use local character sets other than ASCII and Unicode, this specification leaves the problem of transcoding between the local character set and Unicode up to the application. If different applications (or different versions of one application) implement different transcoding rules, they could interpret the same name differently and contact different servers. This problem is not solved by security protocols like TLS that do not take local character sets into account.
Let me interpret for you:
Yadda yadda yadda... some international characters look like Latin characters... yadda yadda... it could fool people into thinking one website was anothers... yadda yadda yadda
What's the best way to make sure you are going to the right website? Type the website in yourself into the address bar, and not by cut n' paste or by clicking on a link in your e-mail. Yes, typing is a major pain, but it's highly unlikely you will type the international character by accident and be fooled by imitations.
YOU. HAVE. BEEN. WARNED.
