Hacker Voodoo

New scary sign that hackers are still smarter than the Web cops behind site security: PayPal just discovered a flaw in their system that allowed hackers to set up a “legit” URL on the PayPal servers.

Result: You got an email directing you to a real PayPal URL, and every logical test you could give this URL proved it to be one of PayPal’s own, supported on PayPal servers.

However, on this real URL, you were told your account had been compromised, and you needed to go to this other site, right now, to fix things.

And off you went to a Korean scam center, where fleecing began in earnest, apparently. PayPal has zero clue how many people were duped, or how far the damage has gone. (Though they have apparently fixed that particular security flaw, and the Korean hack-site has been shut down. At least that’s the story now on Yahoo! news.)

This is not good, people. A couple of years ago, the first few emails purporting to be from PayPal looked and sounded so real, I contacted PayPal directly to see why my account had been shut down (or whatever action the scam suggested had happened). I was smart enough not to click the link in the email… but I was taken aback at how real the message seemed.

PayPal, back then, shrugged it all off. “Just be careful, and know that no PayPal employee will ever ask for your password.” No one there thought much of the repeated attacks. They didn’t have an official policy regarding these scams.

But it was like a large evil army relentlessly testing the security and vulnerability of the walls of a fortress.

And there is always a way through the locks and gates and walls. Always.

I tell marketers to consider this bet: Who would you put your money on to win — the little Latin American dope farmer trying to get some product into the states (to “starving” crowds eager for delivery)… or the U.S. military guarding the borders, with all their high-tech weaponry, detection devices, security protocol and multi-trillion dollar budget?

There is always a way in. Always.

This is a double-edged reminder for marketers. First, don’t ever get complacent about your security… and do what you can to keep your customers and prospects aware of the extra steps you take to keep their ordering info safe. It’s not a joke. This is serious. Just like people abandon the stock market after a crash, so too will they think twice about ordering online after a major scam like this.

Second — this is a good lesson for anyone in a crowded niche. No matter how much better funded your competition is, or how many other advantages they have… there is always a way to beat them in the quest for turning prospects into customers.

Online, everyone is equal. IBM cannot spend enough to make their site better than yours (even if you set it up from your kitchen table using freeware, or by hiring an elance.com geek for a hundred bucks)… as long as they insist on ignoring basic salesmanship and good marketing tactics, and you pay attention to what the customer really wants.

In short — find your competitors weaknesses, and exploit them. Do what they aren’t doing. (Most of the time, this involves paying more attention to the prospect.)

It’s still the Wild West online, folks.

Stay frosty.

John Carlton

Just enter your name and primary email address below and we'll send you the new report right away.

"11 Really Stupid Blunders You're Making With Your Biz & Career Right Now."

  • Where do you get this stuff! Scary as freakin hell John!

    The bottom line is…

    Paypal, Ebay and the others will not ask for your private information…via email. But, if you fall victim, you can “stand in line” at the FTC…

    Joe Ratliff
    Professional Copywriter

  • Seth Chong says:


    Great post which pushes the rage
    up in people.

    Appreciate it real much.

  • […] John Carlton echoed a mantra of mine in this post where he commented on the successes that hackers have had (unfortunately) in penetrating PayPal’s security. […]

  • Jim Charlson says:

    I got one of these emails and after trying to figure out what the heck was going on I deleted it. Scary.

    Thanks for your always great insights!


  • Excellent post John!

    Something happened to me less than a month ago that truly got my attention.
    After making a “buy it now” purchase on eBay, I was taken to a “real” Paypal link to make payment.

    What happened next was absolutely horrific!

    One by one, over the course of the evening, I was slowly being depleted of my paypal monies — so much so, that once it had drained my Paypal account, it started attacking my personal bank account.

    It wasn’t until the next morning that I realized this had happened. To make a long story short, I was able to contact Paypal and my bank and eventually (three weeks later), the problem was resolved.

    I suspect it was the same scam you are talking of in your post.

  • chad says:

    Thanks for the update…Even people who believe themselves to be cautious fall prey.

    Oh by the way there’s another marketing lesson here…And the thrust is “Always”..I guess when you reach a point of believing your ad / marketing is the best it can ever be…Some other hungry soul is devising a way to crush it…and take your customers

    And your enclosure is off the wall…Stay Frosty…


  • >