一位论坛评论员坚持说：“这很容易。任何人都可以下载一些被盗的BTC相关的数据库。 （bitcointalk数据库、btc-e数据库等）。然后，骗子就可以获取到与BTC相关的电子邮件列表，并将其与包含全名的另一个数据库交叉比对运用，最终就可以获得一个同事包含BTC用户全名和电子邮件地址的列表。 （在许多情况下，用户名、密码哈希、DOB、meatspace地址，ssn，各种其他私人数据取决于他们正在使用的数据库。）任何拥有一学期计算机科学类的人都应该能够编写一个脚本这个。然后发送一些垃圾邮件。”
“I am a PayPal user,” David Veksler of the Foundation for Economic Education and The Atlanta Bitcoin Embassy explained to News.Bitcoin.com. “My account is 17 years old. This morning I got the email linked in my message.” Friday, March 16 Mr. Veksler, and presumably a sizeable chunk of Paypal’s nearly 200 million users, received an official-looking email seemingly from the company, complete with letterhead, titled Cryptocurrency Warning.
The two decades-old popular online payments system includes founders such as Peter Thiel and Elon Musk. The company’s revenue routinely ranks in billions, and it operates in over 200 markets and in 25 currencies around the world. Paypal is often seen as a direct competitor to cryptocurrencies, which wish to remove its centralized business model from everyday transactions. The company has made conflicting statements about crypto in general and bitcoin in particular, but there’s no denying they can see the future, as just this month it was discovered the company applied for crypto-related patents.
After appreciating their business, the receiver of Cryptocurrency Warning was scolded: “While reviewing your account, we noticed that your activity involves the trading or transfer of crypto currency which is prohibited under our Acceptable Use Policy. As this is not permitted on the Paypal platform we ask that you cease any activity that results in the trading or transfer of crypto currency. If you continue to engage in this activity on Paypal, we’ll be unable to continue offering our services.”
“It appears to be legit,” Mr. Veksler worried. “I checked the from address and the DKIM. Then I called Paypal support and got a [customer service representative] on the line. She said that from the email address, it does not appear to be legitimate. She then checked my account and said that it is fine – there are no flags of any kind on it. I then posted on the Paypal community site and Reddit, and a bunch of people replied saying that they got the same email.”
For its part, the company has issued no formal statement, preferring, it seems, to take the complaints one at a time rather than whip up a frenzy. The potential problem with this outlook is not everyone understands information technology semantics or where to go to ultimately ask for clarification. Mr. Veksler has a Masters degree in the science, and even he was a little put off. It’s not unreasonable to believe company users would feel as though buying and selling crypto were somehow wrong.
“I don’t know,” Mr. Veksler continued. “All I can tell you is that customer support said it’s fake but the email looks legit, including the digital signatures. I’ve never bought or sold crypto with my account.” Reading of the company’s policy makes no mention of prohibiting cryptocurrency trading of any kind. On the company’s community page, it appears to have labeled the issue solved, with users confirming through representatives the email is indeed a fake.
At issue now is how the emails were spoofed. Perps were able to secure an official company website email string and users’ names. “There is no domain verification process for sender address in the SMTP protocol,” Mr. Veksler pointed out. “There is a separate, optional Sender ID framework which some providers use. This email is also signed with that protocol. I cannot explain that.”
A forum commenter insisted, “It’s pretty easy. Anybody can download a number of hacked BTC-related databases. (bitcointalk database, btc-e database, etc.). Then the scammer takes the list of BTC-related emails and cross references it with another database that includes full names. Now the scammer has a list of BTC users’ full names and e-mail addresses. (Also in many cases username, password hash, DOB, meatspace address, ssn, all sorts of other private data depending on what database they’re using.) Anybody with a semester of computer science class should be able to write a script that does this. Then just send out some spam emails.” For a deeper dive on the hacking details, Nadeem Walayat has some interesting theories about the affair.