Home Up



Is PayPal Passing Trojan Viruses?

By Roy D. Follendore III

Copyright (c) 2003 by RDFollendoreIII

This essay begins with what appears to be a PayPal message.  You might call it a lousy experience that started out as a mystery message and turned into another philosophical Internet enigma. When exactly is choosing not to be responsible the same as being irresponsible? Maybe it is when you know and give it enough time doing absolutely nothing about it.  If so, then there is much more involved than it would first appear.   


July 9, 2003

Apparently... PayPal allows people to email Trojan Viruses to it's customers and they don't want you to know it.  I said apparently because I received such a message that exactly looks like it came from PayPal.  The messages had an attachment and it said that PayPal requests me to update to the new PayPal server.   The problem is that there is really no reason to update anything, since PayPal really did not provide software to update.  The attachment was another example of an executable virus that logs your keyboard and sends the information, including passwords, credit card info and the like to some address.  (This is just the thing for those of you out there who telecommute.)  I am sure that the company you work for would be ecstatic to know that access to their systems have been compromised.

When I looked at the evidence, I immediately began to suspect the obvious.  Maybe this message did not originate from PayPal just because the message had their trademarked logo.  Now exactly how do I know this?  The fact is that I don't.  I can't know this for sure because any information that arrives, either in the message body or the message "header" can easily be forged.  Even "security experts" have heard about the old story about messages that look like it came from the "White House."  (Hackers knew this when they were born.)  But there are other possibilities. Maybe in this particular case the message did in fact originate from PayPal and they just didn't know that the attachment they sent had a Trojan?  Or maybe they still don't know that this  bad thing is happening.

So after considering everything, I put on my white hat and decided to call PayPal and let them know what was going on.  After spending 20 minutes waiting on a "customer representative," I finally got to talk to a nice fellow who seemed very helpful.  We spent most of our time confirming who I am.  Since I already knew who I am, I suppose it only benefited him. I then proceed to explain to him about the message, and he assured me that they would not have sent such a message.  He put me on pause for another ten minutes while he checked with the PayPal security department.  He said that PayPal never sends clients messages with attachments.  

OK.  I asked if PayPal would like a copy of the message (with the attached virus) so that they can evaluate who might be smearing PayPal's good name.  Maybe the PayPal police could post it as an example and perhaps give other customers a heads up on how to avoid or eliminate the problem if they get infected. Sure, he says.  "I will send you all of the information that you need." he says.  A few minutes after we hang up, I get a PayPal form message with dozens of links to contact PayPal for different problems on their website.  In fact, it was pretty much an identical copy of what they have on their site.  None of it was useful before I called PayPal.  It was a complete waste of time afterward.

The one thing that I did find out through this useless exercise is that PayPal was, (and now I know for certain) are, aware of the email virus threat that is using their corporate name.  They have simply decided not to be responsible. They certainly did not seem to be all that interested in letting anyone else out there know that this kind of Trojan shakedown is happening.  Their decision brings up a real interesting philosophical and legal dilemma and I suppose that this then is the main point of this essay.  

If a company is aware that this kind of thing is happening and deliberately chooses not to publicize the damage that the perpetrators are doing to others in it's name, is it not morally if not financially responsible for the damages being inflicted? Is there not ethical obligations to reasonably prevent damages from occurring in their name?  You would think after all that big companies certainly reap enough of the economic benefits from their positive exposure, that they would be interested in the negative. You would think that a valuable company might not want that name smeared by hackers and that they would not desire the potential litigation liabilities that might arise from such an embarrassment of potential (and false) accusations.  Maybe large companies simply have such excellent lawyers on retainers that they do not have to worry about such things. If these are the reasons, then all that I can say is that our cyber world is stacked with layers of problems.

Of course users like myself can not "absolutely" confirm or deny that any messages with virus attachments are being distributed from companies like PayPal, but there should be a preponderance of reasonable doubt in our minds that they do.  I believe that PayPal would certainly have nothing to gain, and they do provide a valuable service.  In a jury, I for one would vote them innocent.  But, what I also would have to vote for is a formal apology from PayPal because of their poor handling of this incident.  They should make that apology in the name of all of who took the time and trouble to report the incident and got slapped in the face for trying to do them a good deed.  Come to think about it, in that light, and for all of those lesser charges, perhaps I could vote them guilty of something. 

But, it isn't just companies like PayPal who owe the American people an apology.  The current situation that every  Internet user must deal with in internet situations like this, is compounded foolishness.  The biggest fools consist of the administration of the Federal Government who refuse to enforce laws that can cover such incidents.  The Federal Government may be somewhat responsible, but unless fat cat middleman companies like PayPal  are required by law to report these kinds of attacks, nothing will change within the "Internet frontier."  The existing laws are simply not being enforced. The Internet is simply not being managed by law enforcement.  The law is something that can be properly managed, and it can be managed immediately on the Internet.   This level of effort represents valuable law enforcement that goes far beyond frivolous and ridiculous efforts to prevent people from taking finger nail clippers on board aircraft. 

My personal opinion is that the FBI and the Office of Homeland Security need to snap out of their stereotyped fixation on "terrorism" in the form of airplanes flying into skyscrapers. That is not the only kind of terror that exists.  They must reach the conclusion that security risks which eavesdrop on digital communication is a grassroots crime and a criminal opportunity that must be stopped.  Such basic law enforcement will prevent terrorists from gaining access to the national infrastructure of sensitive but unclassified knowledge. Why can't Big Brother crack the thunder of the law in the name of privacy?  I suppose the answer is the same as PayPal.  The law enforcement community is not accepting responsibility.

In the mean time, until and unless they do, I for one am updating my active virus profiles, and blocking out any messages that come from PayPal with attachments.  I suggest that you do the same.   




Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved