Is PayPal Passing Trojan Viruses?
By Roy D. Follendore III
Copyright (c) 2003 by RDFollendoreIII
This essay begins with what appears to be a
PayPal message. You might call it a lousy experience that started out as a mystery message
and turned into another philosophical Internet enigma. When exactly is choosing not to be responsible the same as
being irresponsible? Maybe it is when you know and give it enough time doing
absolutely nothing about it. If so, then there is much more involved than
it would first appear.
July 9, 2003
Apparently... PayPal allows people to email Trojan Viruses to it's customers and
they don't want you to know it. I said apparently because I received
such a message that exactly looks like it came from PayPal. The messages
attachment and it said that PayPal requests me to update to the new PayPal
server. The problem is that there is really no reason to update
anything, since PayPal really did not provide software to update. The
attachment was another example of an executable virus that logs your keyboard and
sends the information, including passwords, credit card info and the like to
some address. (This is just the thing for those of you out there who
telecommute.) I am sure that the company you work for would be ecstatic to know that
access to their systems have been compromised.
When I looked at the evidence, I immediately began to suspect the obvious.
Maybe this message did not originate from PayPal just because the message had
their trademarked logo. Now exactly how do I know this? The fact is
that I don't. I can't know this for sure because any information that arrives, either
in the message body or the message "header" can easily be forged. Even "security experts"
have heard about the old story about messages
that look like it came from the "White House." (Hackers knew
this when they were born.) But there are other possibilities. Maybe in
case the message did in fact originate from PayPal and they just didn't know that the
attachment they sent had a Trojan? Or maybe they still don't know that this
bad thing is happening.
So after considering everything, I put on my white hat and decided to call PayPal and let them
know what was going on. After spending 20 minutes waiting on a "customer
representative," I finally got to talk to a nice fellow who seemed very
helpful. We spent most of our time confirming who I am. Since I
already knew who I am, I suppose it only benefited him. I then
proceed to explain to him about the message, and he assured me that they would not have
sent such a message. He put me on pause for another ten minutes while he
checked with the PayPal security department. He said that PayPal never sends
clients messages with attachments.
OK. I asked if PayPal would like a copy of the message (with the attached virus) so
that they can evaluate who might be smearing PayPal's good name. Maybe the
PayPal police could post it as an example and perhaps give other customers a
heads up on how to avoid or eliminate the problem if they get infected. Sure, he
says. "I will send you all of the information that you need." he says.
A few minutes after we hang up, I get a PayPal form message with dozens of links
contact PayPal for different problems on their website. In fact, it was pretty much an identical copy
of what they have on their site. None of it was useful before I called
PayPal. It was a
complete waste of time afterward.
The one thing that I did find out through this useless exercise is that PayPal was,
(and now I know for certain) are, aware of the email virus threat that
is using their corporate name. They have simply decided not to be
responsible. They certainly did not seem to be all that
interested in letting anyone else out there know that this kind of Trojan
shakedown is happening. Their decision brings up a real interesting philosophical and legal
dilemma and I suppose that this then is the main point of this essay.
a company is aware that this kind of thing is happening and deliberately chooses
not to publicize the damage that the perpetrators are doing to others in it's
name, is it not morally if not financially responsible for the damages being
inflicted? Is there not ethical obligations to reasonably prevent damages from
occurring in their name? You would think after all that big companies certainly reap
enough of the
economic benefits from their positive exposure, that they would be interested in
the negative. You would think that a valuable company might not want
that name smeared by hackers and that they would not desire the potential litigation
liabilities that might arise from such an embarrassment of potential (and false) accusations.
Maybe large companies simply have such excellent lawyers on retainers that they
do not have to worry about such things. If these are the reasons, then all that
I can say is that our cyber world is stacked with layers of problems.
Of course users like myself can not "absolutely" confirm or deny that any messages
with virus attachments are being distributed from companies like PayPal, but there
should be a preponderance
of reasonable doubt in our minds that they do. I believe that PayPal would certainly have nothing
to gain, and they do provide a valuable service. In a jury, I for one would vote
innocent. But, what I also would have to vote for is a formal apology from PayPal
because of their
poor handling of this incident. They should make that apology in the name
of all of who took the time and trouble to report the
incident and got slapped in the face for trying to do them a good deed.
Come to think about it, in
that light, and for all of those lesser charges, perhaps I could vote them
guilty of something.
But, it isn't just companies like PayPal who owe the American people an
apology. The current situation that every Internet user must deal with
in internet situations like this, is compounded foolishness. The biggest fools consist of the
administration of the Federal Government who refuse to enforce laws that can
cover such incidents. The Federal Government may be somewhat responsible, but unless fat cat middleman companies like PayPal
are required by
law to report these kinds of attacks, nothing will change within the "Internet frontier."
The existing laws are simply not being enforced. The Internet is simply not
being managed by law enforcement. The law is something that can be
properly managed, and it can be managed immediately on the Internet.
This level of effort represents valuable law enforcement that goes far beyond frivolous and ridiculous efforts to prevent people from taking finger nail
clippers on board aircraft.
My personal opinion is that the FBI and the Office of Homeland Security need to
snap out of their stereotyped fixation on "terrorism" in the form of
airplanes flying into skyscrapers. That is not the only kind of terror that
exists. They must reach the conclusion that security
risks which eavesdrop on digital communication is a grassroots crime and a criminal opportunity that must be
stopped. Such basic law enforcement will prevent terrorists from gaining
access to the national infrastructure of sensitive but unclassified
knowledge. Why can't Big Brother crack the thunder of the law in the name of
privacy? I suppose the answer is the same as PayPal. The law
enforcement community is not accepting responsibility.
In the mean time, until and unless they do, I for one am updating my active virus
profiles, and blocking out any messages that come from PayPal with attachments.
I suggest that you do the same.