BEWARE POSSIBLE PAYPAL FRAUD @Keychron

[D4ni3l99]

On the 23rd of April I ordered a keyboard on the official Keychron website. And at the following day I received the following E-Mail:

 

PayPal was my method of payment and I followed the described procedure. Roughly 4 hours later I got a ping on my PayPal app that someone was trying to log into the account from a new location. I live in the middle of nowhere in Germany, but the attempt came from Berlin (upon further inspection, likely a VPN proxy). This account has not seen any other use for several days before.

Please see this as a warning and potential warrant for support on how to properly deal with this situation.

 

*This post is a copy of a Reddit post I made on the (sadly) unofficial Keychron Subreddit. Please excuse me if I accidentally broke a rule on this forum, since I don't really post on here, but I need the best advice I can get on how to proceed

[Levent]

I fail to see what the fraud here is. 

[D4ni3l99]

Someone tried to log into my account... Someone not me... An account for an App that has vital credentials and monetary funds...

[Levent]

Just now, D4ni3l99 said:

Someone tried to log into my account... Someone not me... An account for an App that has vital credentials and monetary funds...

Someone tried to login to YOUR account. Not keychrons some sort of admin account. There is no fraud here, there is just an attempt to hack your PayPal account. There is nothing that should worry others.

[D4ni3l99]

1 minute ago, Levent said:

Someone tried to login to YOUR account. Not keychrons some sort of admin account. There is no fraud here, there is just an attempt to hack your PayPal account. There is nothing that should worry others.

I have not used said account for anything else in more than a week and it happened the next day after I ordered at Keychron and a few hours upon sending Keychron support an image of the ID attached to the PayPal account. Is that not suspect?

 

[Spotty]

6 minutes ago, D4ni3l99 said:

PayPal was my method of payment and I followed the described procedure. Roughly 4 hours later I got a ping on my PayPal app that someone was trying to log into the account from a new location. I live in the middle of nowhere in Germany, but the attempt came from Berlin (upon further inspection, likely a VPN proxy). This account has not seen any other use for several days before.

I doubt Keychron is trying to log in to your paypal account...

 

In the alert sent by Paypal did it say if the login successful or unsuccessful? It could have been you when you logged in to the account to get the information they requested. Location information based on IP address is not accurate at a local level. Even if you live a few hours away from Berlin it might still be reporting as Berlin. My IP address reports a location over 500km away from where I am.

Did it show the IP address of the login attempt? How do you know it was a VPN/proxy?

 

As for requesting you to go through the steps to confirm the order, I personally just wouldn't bother and would let them cancel the order. Too much effort. If they don't want your money there's a dozen other stores that will take it.

[D4ni3l99]

I might be overreacting, but I feel like when in doubt overreacting is better than underreacting

[D4ni3l99]

6 minutes ago, Spotty said:

I doubt Keychron is trying to log in to your paypal account...

 

In the alert sent by Paypal did it say if the login successful or unsuccessful? It could have been you when you logged in to the account to get the information they requested. Location information based on IP address is not accurate at a local level. Even if you live a few hours away from Berlin it might still be reporting as Berlin. My IP address reports a location over 500km away from where I am.

Did it show the IP address of the login attempt? How do you know it was a VPN/proxy?

 

As for requesting you to go through the steps to confirm the order, I personally just wouldn't bother and would let them cancel the order. Too much effort. If they don't want your money there's a dozen other stores that will take it.

I have already followed up on the procedure they have suggested in their E-Mail (this was before the fraudulent login attempt). The IP address of the attempt was definitely in Berlin, and not one of mine or even my families. It was not successful, since I declined it fast and immediately changed passwords. I did not expect Keychron Support to be behind this, rather possibly a rogue actor that works in their support. This and the fact that it was a VPN proxy is honestly pure conjecture, since I assume it was someone who can't possibly be in Berlin ,yet using the IP address of a popular VPN location. 

Edited April 24, 2023 by D4ni3l99
Added clarification

[D4ni3l99]

Okay, I do not know how to delete or close a topic ,but this one can be closed and/or deleted now. I did not originally see the warning myself and rather it was conveyed to me by a family member. Poorly it seems. I then expected the warning, but was originally misled by the device name of the login attempt not being one anyone in my family owns, however this was simply a mistake on our part. None of us new that the Samsung Galaxy S10 was apparently preferably called a Beyond 2. This led to some conjecture and miscommunication on our end and an overreaction. Appropriate since potential fraud should rather be overreacted to than underreacted, but clearly unwarranted. 

Overall the issue seems to have stemmed from a automatic login on one of our devices (that yet triggered a login warning) ,which was referred to by PayPal's automated system by a name we did not recognize.

Everything is fine now. Thank you for your support. Sorry for wrongfully suspecting Keychron Support or anyone working there.

[LogicalDrm]

Locked as per request.

 

Just noting that the email they sent to you suggests that email you are using for PayPal has been leaked as being used for PayPal. Which could trigger some more robust countermeasures. Like asking for confirmation that said account is still under your control.