I guess this one is nothing special because it does require the attacker to guess your login credentials, but I bet a lot of people would think freelancer.com (a site for finding people to do odd jobs, or for offering doing odd jobs, mostly in programming, web design, graphic design) is so trivial there is no point in having a hard to guess login identity.
Not quite so…
This morning I got a bunch of emails from there, which got my attention since I haven’t used it for a couple of years – last time was to design the latest version of the EuroGA leaflet. The email saying my password has been changed also gave the IP, 5.62.43.197, and you can google on it yourself 
I tried to log in, but couldn’t because somebody got in and changed the pwd. So I did a pwd reset, which worked because the attacker had not yet got around to changing the email address also. Logged in, and found a dialogue going on between two people. One was “me” and the other was some semi illiterate “hey bro this is cool” speaking moron asking for a payment in bitcoin. Well, he may have been semi illiterate but he managed to do a deal with some bloke in Spain willing to write some code, and paid him £75 out of my paypal account, whose details were preconfigured on the site Having 2FA on paypal (which everybody should have on paypal, because somebody can hit you bank account pretty hard via paypal) doesn’t help because paypal doesn’t invoke it in this scenario.
I messaged the “victim” who was still online and chatting to the other “me” saying it was a fraud, but he got (or pretended to be) totally confused and said I was the scammer, and that he would report me to freelancer.
I think there is every chance of the “victim” being a mate of the attacker, otherwise there is little point in doing all this. You need to work on pairs to extract cash from this.
I got onto the freelancer.com help chat, only to get another moron who said he can’t help because my account has not been compromised… So I suggested that the idiot reads the messages. He was surprised I had the attacker’s IP and asked how did I get that, so I sent him the email which freelancer sent out
He then went into an obviously well rehearsed procedure, revealing nothing but refunding me the money.
$75 is not much but it could have been a lot more.
This is a result of many websites having been storing login credentials in plain text, and then having got hacked. Linkedin, Yahoo, etc all got everything nicked at some point.
Peter wrote:
The email saying my password has been changed also gave the IP, 5.62.43.197, and you can google on it yourself
Well, it is seems to be an IP address of HideMyAss.com, which will make tracing that much more difficult. Especially if the attacker didn’t use the (paid) full VPN, but only the (free of charge) proxy.
Peter wrote:
paid him £75 out of my paypal account, whose details were preconfigured on the site Having 2FA on paypal (which everybody should have on paypal, because somebody can hit you bank account pretty hard via paypal)
Best practice is not to connect your Paypal account to any third-party site, nor to connect your bank account to Paypal.
I would go as far as to say that a best practice is to not link anything to PayPal for more than it takes to make that PayPal payment you can’t make any other way. Yes, I despise PayPal with a vengeance… :)
Best practice is not to connect your Paypal account to any third-party site, nor to connect your bank account to Paypal.
Ageed, though the last one is not an option in the UK; a PP account without a bank connection is almost useless, and gets frozen when it has received a certain amount of money (you can continue to make purchases with it IIRC).
It’s like mandatory acceptance of PP on Ebay, in the UK. In some/most other countries such a rule would be illegal.
I would go as far as to say that a best practice is to not link anything to PayPal for more than it takes to make that PayPal payment you can’t make any other way. Yes, I despise PayPal with a vengeance
I agree, although it does depend on whether you are buying or selling the item. The general drift, in the EU “consumer protection” climate, has been towards buyer protection and away from seller protection, and PP has bought into this. It means that e.g. to sell stuff on Ebay you need to be ever more careful, describing the item in detail so that an illiterate person is unlikely to buy it, etc
