Cisco ruins PayPal's business

Comments

32 comments

  • Avatar
    mattwilson9090

    I'm pretty sure that if OpenDNS were indeed ruining PayPal's business that PayPal would be directly in touch with OpenDNS to get it resolved.

    Considering that OpenDNS goal for their free accounts is a 3 business day response time on tickets, but lately is taking a week or longer, 14 hours isn't very long at all.

    I did a whois lookup on this domain and it doesn't appear to be affiliated with PayPal in any way. In fact it doesn't even have a complete address listed. That's very strange.

    Out of curiosity I looked at the domain tagging for this domain https://domain.opendns.com/paypal-opwaarderen.nl showed that you created a tag today, and there has been no other activity on it.

    Considering that you claim this domain name is vital for the functioning of PayPal in the Netherlands this seems rather suspicious to me.

  • Avatar
    tgeorgescu

    Well, I know that it is an official PayPal website for two reasons: it is linked from my PayPal account (from paypal.com) and while it was flagged as phishing by OpenDNS I have used another DNS server to access the website, transferred through it 350 Euro to my PayPal account and the transfer was processed correctly, the money did not vanish and I could buy a product with those money. I have also contacted PayPal, but they are slow to answer the tickets.

  • Avatar
    tgeorgescu

    Meanwhile I got an answer from PayPay:

    PayPal-klantenserviceRE: Productenenfuncties (ID: C528-L006-T11063-S111-W000000)

    Dear Tudor Georgescu,

    Thank you for contacting PayPal regarding issues with your firewall.

    My name is Jacques and I would like to help you with this issue. After reviewing your PayPal account I can provide the following information. As I see on your PayPal account that you are able to top up by iDeal. We are not aware of this issue, but we will escalate this and try to solve this.

    I understand your frustration regarding this matter and regret any inconvenience this might have caused.

    Yours sincerely, 
    Jacques 
    PayPal 

    Copyright © 1999-2016 PayPal. All rights reserved.

    PayPal (Europe) S.à r.l. et Cie, S.C.A.
    Société en Commandite par Actions
    Registered Office: 22-24 Boulevard Royal L-2449, Luxembourg
    RCS Luxembourg B 118 349

  • Avatar
    tgeorgescu

    whois paypal-opwaarderen.nl
    Domain name: paypal-opwaarderen.nl
    Status: active

    Registrar:
    MarkMonitor Inc.
    391 N. Ancestor Place
    United States of America

    DNSSEC: no

    Domain nameservers:
    ns4.p57.dynect.net
    ns3.p57.dynect.net
    ns1.p57.dynect.net
    ns2.p57.dynect.net

    Rings a bell? No? See this:

    whois msn.com

    Domain Name: MSN.COM
    Registrar: MARKMONITOR INC.
    Sponsoring Registrar IANA ID: 292
    Whois Server: whois.markmonitor.com
    Referral URL: http://www.markmonitor.com
    Name Server: NS1.MSFT.NET
    Name Server: NS2.MSFT.NET
    Name Server: NS3.MSFT.NET
    Name Server: NS4.MSFT.NET
    Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
    Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
    Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
    Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
    Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
    Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
    Updated Date: 08-oct-2014
    Creation Date: 10-nov-1994
    Expiration Date: 04-jun-2022

  • Avatar
    tgeorgescu

    Quote: "MarkMonitor is the global leader in brand protection. More than half of the Fortune 100 trust MarkMonitor to protect their brands online."

  • Avatar
    rotblitz

    Well, the registrar is absolutely irrelevant in any case.  Only the registrant counts, and this is indeed PayPal PTE LTD.

    No matter, this does not mean that the web server is not vulnerable and nobody could implement a phish there.  OpenDNS will have to research the details.  I couldn't find any details on phishtank.com so far.

    "Cisco ruins PayPal's business"

    One thing is clear, you pretty much overdraw this scenario.  Just 2% of the internet users use OpenDNS, and it is pretty easy and straight forward for every OpenDNS user to whitelist a domain if a false positive phish is being reported.  No business will be harmed or ruined at all.  Another evidence for the importance is the lots of complaints about this here - just one, yours.  ;-)

    "I have used another DNS server to access the website."

    Even this was not needed.  Whitelisting the domain would have been sufficient.  The other two users using OpenDNS and paypal-opwaarderen.nl have certainly done it this way and didn't come here to complain.

  • Avatar
    tgeorgescu

    Point taken. However, my opinion that is is blacklisted while the website is completely safe.

  • Avatar
    rotblitz

    "while the website is completely safe."

    How can you ever be sure?  You cannot!  You have no way to prove it, not at all.
    If you knew how many and what eminently respectable websites have been already hacked to implement phishes and other malicious stuff, you would be horrified...

  • Avatar
    tgeorgescu

    Yes, that could be true. But in this case they would steal everybody's money and mine did not get stolen.

    Also, there is a phishing scenario (kind of): make an iDeal payment to a PayPal account, buy BitCoins, send them to me and I will unlock your computer. But in this case it is not PayPal's fault that people are using it for illegal purposes.

  • Avatar
    rotblitz

    "they would steal everybody's money and mine did not get stolen."

    You're again totally wrong and simple-hearted.  If you think so, your safety and security are at high risk.  They may not be after your money, but after your identity or something else which can be even worse then if they got a few Euros from you...
    You should inform yourself more thoroughly about this dangers, because your knowledge seems to be rather vague and diffuse.  A good prerequisite to become a victim...

  • Avatar
    tgeorgescu

    Ok, what could be stolen this way: PayPal username and password, an one-time money transfer.

    The way iDeal works through my bank is an one-time code for authorizing once one money transfer. Of course, if it does not actually employ iDeal it could be used to authorize once one or more one-time money transfers. The idea is: this way one could steal 5000 Euro instead of transferring 50 Euro. Of course, actually adding more than one bank transfer requires another code, and it would thus fail.

    In my PayPal account I have an account number but no credit card. Only money demands from the Netherlands could be authorized by my bank, subject to their approval and I can call back any unauthorized money transfer which I did not myself initate and approved (i.e. falling prey to phishing counts as approval of one-time money transfers in certain circumstances).

    So PayPal does not actually has more than my name, address, birthdate, bank account number, e-mail address, IP and transactions history. I don't know if that is what you call an identity. I have not authorized PayPal to extract money from my bank account and even if a hacker would do that instead me, the transfer would fail, since my bank account allows only transfers to Dutch bank accounts.

  • Avatar
    mattwilson9090

    Without knowing why this domain was listed as a phishing domain we cannot know what the phishing is intended to do. It could be intended to directly steal money, identity, or something else. They could also be gathering information for future use.

    As rotblitz said, your don't really seem to understand what phishing is, or how it works. Also, the first scenario you describe is not phishing. It could be related to some form of money laundering, or perhaps something to do with ransomware. Although it's possible such a thing could somehow leverage phishing, in and of itself what you describe is not phishing. The second scenario you describe is similar, it may or may not leverage phishing somehow, but is not in and of itself phishing.

    As for the information that you say that PayPal has about you, your IP address is completely irrelevant. Despite what TV and movies show, IP addresses are not some magical piece of information that you can always be used to track you, or gives some special access to your computers or accounts. They can certainly be useful in tracking things down, or doing a forensic analysis of an event, but otherwise it wouldn't really matter if PayPal or anyone else has the IP address that is currently assigned to you by your ISP. Also, all of that information still has nothing to do with phishing, or why this domain was classified as a phishing domain.

    All we know for certain is that OpenDNS has classified this domain as a phishing domain, but we don't know why or when. It's possible that they are already working with PayPal and getting things cleaned up, or it could be something entirely new. I can say however that OpenDNS does not make this classification arbitrarily or capriciously, and it certainly is not ruining PayPal's business. In fact I've already verified that I can access the Netherlands version of PayPal via a URL that uses the PayPal.com domain, so it certainly isn't the only way to get there.

  • Avatar
    tgeorgescu

    I have read the lead of https://en.wikipedia.org/wiki/Phishing and nohting stated there applies: the website flagged as phishing is an official PayPal website, it wasn't cloned by hackers in order to look like a legitimate website.

    Was it hacked? How would I know? Anyway, PayPal stated nothing that it could have been hacked or when that could have happened. So, imho, PayPal still thinks that the website is safe and legit.

  • Avatar
    mattwilson9090

    Just as you don't know that this localized PayPal page was hacked, you also don't know that it WASN"T hacked. We also don't know why or when OpenDNS flagged this particular domain for phishing, if it is being worked on, reassessed, or whatever.

    You don't speak for PayPal, so your opinion of what "they" think doesn't really matter, nor does it address the reasons for why this particular domain was flagged this way. Rotbllitz has suggested that you whitelist this domain. You can also get to it a Dutch version of PayPal via https://www.paypal.com/nl/webapps/mpp/home

    My suggestion is to use either of those two methods and let OpenDNS address your support ticket and if need be work with PayPal to address the issue.

  • Avatar
    tgeorgescu

    Here is a straightforward answer: if PayPal knows it's hacked, they either unhack it or if this fails, they take it offline.

  • Avatar
    mattwilson9090

    Who is saying that PayPal knows they were hacked, or have acknowledged that. Again, all that we know for sure is that this particular domain is flagged as a phishing domain, nothing more. As for what PayPal may or may not do about this, it's up to them, not OpenDNS or this discussion board.

  • Avatar
    tgeorgescu
     

    *** (OpenDNS)

    Apr 28, 23:21

    Hello,

    Our research team has investigated the domain paypal-opwaarderen[.]nl and the domain will remain blocked.
    The research team has advised that the site can be whitelisted if access is required or access the main PayPal page.

    Thank you for your submission, we will be marking this ticket as solved, however if you need any further assistance, please reply to this message to re-open this ticket and we'll be more than happy to help you.

    Best regards,

    Reg Ham
    Customer Support Representative
    OpenDNS,inc

  • Avatar
    rotblitz

    Yep, I understand their reasons.  Thanks for posting this.  OpenDNS will certainly block all domains which refer to financial or other institutions where one can enter credentials related to another site.  That said, only if PayPal used e.g. opwaarderen.paypal.com or another subdomain of paypal.com, then it would be accepted and not be blocked as phish.  The fact that opwaarderen.paypal.com is registered for PayPal doesn't seem to play a role, because this could be faked.

    You know what to do.  Simply add paypal-opwaarderen.nl to your "never block" list, and the problem is gone for you.  You have been the only one complaining about this here.  Further, you can ask PayPal to deal directly with OpenDNS regarding this matter.  A user like you has no way to request something about someone else's website with OpenDNS.  You don't have the right and the power to do it.  You can only speak for your own registered domains.

  • Avatar
    rotblitz

    Correcting me:  The fact that paypal-opwaarderen.nl is registered for PayPal doesn't seem to play a role, because this could be faked.

  • Avatar
    tgeorgescu

    Ok, if I understand it well, all domains which are different from the main domain of a financial institution are blacklisted as phishing. Ok, good to know it, at least this is a reason why it got blacklisted. I was afraid that it could have been hacked and that my financial transactions would be at risk. Thinking that this is default OpenDNS policy gives me peace of mind. I consider the matter answered.

  • Avatar
    rotblitz

    Now we are down from "Cisco ruins PayPal's business" to "gives me peace of mind".  This is truely a change!

    "I consider the matter answered."

    ...even without having raised a question before...

  • Avatar
    tgeorgescu

    Well, I am not PayPal's lawyer, so I cannot sue Cisco for damages.

    But it took three days to find a reason why the website was blacklisted. Even the customer support representative mentioned no reason why it was blacklisted.

  • Avatar
    tgeorgescu

    @mattwilson9090: For my curiosity, have you clicked on the button shown at https://www.paypal.com/nl/webapps/mpp/home and saw which site gets shown then?

  • Avatar
    rotblitz

    The reason was always there.  It's just that you have been in the queue later to respond.  A response was minor important anyway, as it wouldn't change anything, and you cannot count as an interested party, because you don't own the domain.  And customer support clearly provided the reason: the site cannot be whitelisted because access to it with own credentals is not there, and direct access to the main PayPal page is not provided through it.

    So the fact remains: there's a domain not under the PayPal domain asking for PayPal credentials.  Exactly this is what is deemed to be phishing.  Full stop.

    If you disagree, you know what to do to access it nevertheless.  It leaves all risks with you, as should be.

  • Avatar
    tgeorgescu

    Perhaps I was too subtle: click on the large blue button with Opwaarderen from https://www.paypal.com/nl/webapps/mpp/home and see that paypal.com redirects you to paypal-opwaarderen.nl . I rest my case.

  • Avatar
    tgeorgescu

    Correction: large blue button with Waardeer nu op.

  • Avatar
    rotblitz

    Yes, fine, but this is not what they should be doing.  As I said, they should setup it as subdomain under the paypal.com domain.

    And it's not your case.  You don't own paypal-opwaarderen.nl, nor paypal.com, nor OpenDNS.  You are not an interested party.

  • Avatar
    tgeorgescu

    That's the standard corporate yada-yada: OpenDNS does not listen to lowly peons, it only listens to corporate lawyers.

  • Avatar
    mattwilson9090

    I visited the link I provided. Since the page that it leads to is written in a language that I don't speak, and I don't know how the Netherland's version of PayPal might or might not interact with my own PayPal account I did nothing with it.

    Yes, you were being too subtle. If you have a point to make, then make it, don't expect others to both figure out what you are really asking about and then answer the question you never actually asked.

    As for blue buttons on that page, large or otherwise, both of the ones that I see point to URL's that use the paypal.com domain, they don't use the paypal-opwaarderen.nl domain. One appears to be a sign up button, the other appears to be a login button. But again, I'm not going to go any further since I don't speak the language the page is written in, and have no idea what the Dutch version of PayPal will do with my existing PayPal account.

    As for a button that says "Waardeer nu op", I do not see one.

    As for your comment about "corporate yada-yada" and corporate lawyers, you are completely off-base. You reported what you saw as a problem, OpenDNS responded back saying, basically "We know about this, and after reviewing it the decision stands". Since you do not own any of the domains in question there is no legal or ethical reason to work with you any further, or explain things any further. The same would hold true for my businesses website and domain, if someone thought there were a problem with it I would expect that OpenDNS would not work with a third party to resolve that issue. It's my domain, it's up to me to fix any problems, and perhaps work with OpenDNS to resolve how things are classified, but no third party has any business being involved with it.

  • Avatar
    tgeorgescu

    You don't actually have to log in to PayPal in order to check it, just use another browser or another computer which you have never employed for logging to PayPal. Or simply ask rotblitz what he meant by "Yes, fine, but this is not what they should be doing."

    Till now, the only credible argument for blacklisting the website is: all domains containing paypal are blacklisted by default, except paypal.com. Technically, the website could have been hacked, but OpenDNS never claimed this, the customer service offered no argument for blacklisting the website, he just said it was blacklisted and will remain blacklisted because that's what security team wants.

    If a child bullies another child, you work under the assumption that all other children should mind their own business, since they are not interested parties and the bullied child should solve himself his problem with the bully. I work under the assumption that all other children should make clear to the bully that he is wrong and has to correct his mistake.

    This is how I see this problem: OpenDNS interferes with PayPal's business and they could correct their mistake because a lowly peon tells them they are mistaken. They don't have to wait for PayPal to chime in.

Please sign in to leave a comment.