It can happen to anyone, well-known blogger gets ripped off on PayPal

by Steve Ragan - Jul 3 2008, 11:07

It can happen to anyone, even IT professionals have to deal with the risk. Martin Brinkmann, who many of you know simply as Martin from gHacks, is no exception. Martin woke up yesterday to discover someone had taken over $400 from his PayPal account and purchased virtual servers with the stolen money. The lesson to everyone is that even professional geeks like Martin can fall prey to thieves online.

Martin was kind enough to grant me a quick Q&A over the issue. I have followed gHacks [www.ghacks.net] for some time. It is a good source for information, as well as a treasure trove of tips, tricks and free goodies that are certainly geek worthy.

The news that someone had money stolen from PayPal is nothing unheard of, it happens every day. What caught my eye was that Martin was the victim in this case. He is an IT professional, and a professional writer online. He knows IT security, so it was a little close to home to see he too had been hit.

Q: You recently reported that you were the victim of fraud on PayPal. Describe your initial thoughts for me.

A: My first thoughts were that this cannot be. I have worked some years in the security department of a big financial corporation and know my way around. The absolute first thought was that this was just another Phishing mail that is so common these days. I did analyze it and [concluded] that it was a legit email from PayPal, which kind of worried me.

I went to my account using my secure Firefox profile that I only use for this kind of [site] and typed in the URL manually. I saw the transaction there and it left me puzzled for a few seconds. I went from disbelief to shock for a moment because I realized the implications this could have. Maybe someone got hold of all my passwords and personal information. Not a nice thought for someone who makes his living online from his websites as you can imagine.

Q: How easy was it to work with PayPal on this issue? What information were they willing to share with you? What would they not give you?

A: It's easy to file an initial complaint at the PayPal website. Everyone can do that in just a few steps at the website, but that's just the first step obviously. PayPal will then contact the other party so that they can respond to the claims. I did phone them as well because I thought that they could give me additional information but that was unfortunately not the case. I had hopes that they could tell me if someone else logged into my account at the time of the transaction and that they could tell me the IP of that other user. This would have helped me tremendously because I would have known that someone actually did get hold of my PayPal ID and password and that it was not an inside job or some other way of making that transaction.

[Note: PayPal because of internal and external privacy policy will not release access controls, or anything other than transaction ID. The IP address that was used to access the account, or the methods to trigger the release of funds, are internally logged and not available to the public; even to account holders.]

Q: The company that took payment using the stolen funds, Santrex Internet Services, how easy were they to work with? Have you gotten your money back?

A: I contacted the seller of the goods as well. I was very careful there because I did not know if [they] were involved in the fraud. It turned out that they were helpful, really helpful in providing all the information that they had about the transaction on their website and that they also refunded the money completely after an hour.

They sent me information like IP and contact information about the guy who ordered the VPS (Virtual Private Server) from them. This type of information is usually fake but, they point to Buffalo University when you lookup the IP that was used to create the account at Santrex Internet Services.

Q: Readers of your site know that you are not a fan of AV on your PC. What have you used to check your system after all of this was done?

A: I first used some Live CDs from antivirus companies to scan my computer. After that initial scan I installed a bunch of applications. Some of them have been; Rootkit Revealer, Hijack This, Antivir, Panda Antivirus, BitDefender and Spybot Search & Destroy. I installed and removed them from my system after deeply scanning it. Nothing was found though.

Q: Can you explain your opinions as to why you do not use AV on your system?

A: Yes, I can try. Antivirus applications are not perfect. They manage to catch most of the known viruses, but still have troubles with new ones. I have lots of experience, and only download and install files from reliable sources. I know that there is still a chance that they could be infected, but I do have a keen eye on news, especially news about applications that I use, which means that I'm able to react quickly.

In the last years however nothing like that happened. I can also use services like virustotal.com to check a file that looks suspicious before executing it. And then there is the possibility to use a Sandbox to execute files in a safer environment. There is also that theory that the more software you install, the less secure your system becomes. I would not say that everyone should work with antivirus software, but guys with the experience can definitely do that.

Q: Has this event changed your opinions on AV for your system, why or why not?

A: No this has not changed by opinion on anti-virus applications. The main reason is that all those programs that I used to scan my system did not find anything. A very clever hacker could probably breach my system's security, install malicious software, grab data and uninstall it again, but that would probably be a lot of work for a temporary gain of $474. I have a very good hardware firewall installed which is my first line of defense and my IP is dynamic. The chance that this happened is slim.

Q: You mentioned a few thoughts on how the theft could have happened; can you explain them again please? Have you settled for one theory over another?

A: My main problem was not that the guy took my money, but that I needed to know how the theft was done. Did he get my password, did he use another way, did he get access to my computer, or did he use a website and browser exploit to get my data? There are several possibilities how this could have happened. I was able to eliminate a few possibilities right away; Phishing, Pharming, other users using my computer, public access, wireless connections, and Host File changes.

Some possibilities are highly unlikely, but there is a slim possibility after scanning my system thoroughly; Viruses, Trojans, and Worms. Most likely causes are the following; Browser Exploits, or hacking into another website where I used the PayPal Email and the same password. (One should not do this but I think I have done this on one or two sites, not anymore though.)

It could also be that someone found a way to make transactions from within PayPal or an error in PayPal processing. It's not that likely, but I would not rule it out unless someone from PayPal would send me the access log for my account for the last month.

[Note: Presently Martin is still unsure as to how the breach happened. As mentioned, the access logs are not for public consumption so he may never know.]

Q: In your post on the theft, you mentioned strong passwords that you use, what is your method or advice for strong password creation?

A: Strong passwords are essential these days. I'm not talking about stuff like "sm45S_F45%fsder:,e" because no one is able to remember such a password. I have some simple rules for creating strong passwords that take a long time to crack by brute force.

It's always 8+ chars, never less. I always mix letters, numbers, and special chars if they are allowed. I never use dictionary words. I never use words that can be associated with me like names, locations, or professions, and I prefer to write them down locally instead of storing them in the computer, i.e. Firefox's password manager.

Q: You have some loyal readers on gHacks. How have they responded to this, other than the comments? Have you gotten advice or tips you want to share?

A: Many of my readers are deeply interested in IT and many are professionals. I'm lucky in this regard. They add their thoughts to my content to make it much better. Just look at the PayPal article that I wrote. It currently has twenty-seven comments with tips and helpful information that I was able to use to investigate the matter further.

I really like the advice that PayPal is offering a device called PayPal Security Key, which adds another layer of defense to the login process. I also received some responses of readers who experienced similar problems or had friends with those problems. This really helped me a lot.

[Note: The gadget he mentions is a small token that offers two factor security to your PayPal account that was introduced in 2007. There is a small cost about $5-7.00 USD depending on your location, but the token is free to PayPal business accounts. You can get one and learn more here: https://www.paypal.com/securitykey]

Q: People always read about PayPal accounts being stolen or hijacked and often think “it will not happen to me” were you in that group? Do you have any advice for those who are still in that group?

A: Yes, I was in that group. The advice that I have regarding PayPal is that [everyone] should get that security device, keep a low amount of money in the PayPal account at all times, and remove the option that PayPal can make drafts from the bank account or Credit Card.

I always knew that no one is [truly safe] on the Internet, but the chances that someone with IT knowledge and experience will be a victim are slim but not impossible. Most PayPal accounts get hijacked by Phishing and Trojans I would assume. Phishing is probably the easiest to counter. Everyone with five minutes of time can learn the basic rules to fight Phishing.

I would like to thank you for offering me the chance to write down my thoughts on the matter. I really hope PayPal will be more forthcoming in the future which would really help the victim to identify the root of the attack. I'd also like to thank my readers; they are a great bunch. Thanks guys!

[Has this happened to you? Do you want to share your thoughts on the subject? Chime in using the comments section or use the security@sitename.com to reach me. –Steve]

Around the Web