Sign up to our newsletter
The latest security news direct to your inbox
In view of some of the discussion generated by Randy's blog on PayPal's "confession" of "phishing", it's refreshing to see a straightforward summary of the issue from the estimable Larry Seltzer for PC Mag (see http://blogs.pcmag.com/securitywatch/2009/12/paypal_admits_to_phishing_its.php?sms_ss=twitter).
PayPal's view of the issue seems equivocal. They've gone to some lengths to dismiss this issue as the agenda of a single researcher (sorry guys, but quite a few of us agree with him!), but in the past, PayPal's own communications have warned about clicking on links in emails. For instance:
"NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."
(That comes from a sample email from PayPal that Andrew Lee and I used in a phishing presentation a couple of years ago: see the Virus Bulletin paper at http://www.eset.com/download/whitepapers/Phish_Phodder.pdf)
While in its own phishing quiz at https://www.paypal-marketing.co.uk/safetyadvice/TakeTheQuiz.htm you'll find statements like these:
"All URLs can be faked. Always open a new window and type the address into the browser."
"Always log into PayPal by opening a new browser and typing in the following: https://www.paypal.com. If a URL looks suspicious, don't click it."
Isn't that pretty much what Randy said?
It seems that it's not only PayPal that isn't too careful about sending appropriate responses. A friend of ours tells us that he advised a hosting company that a site they hosted was not only owned by a botmaster, but serving up exploits via a hacked website.
They responded with a snottogram telling him to review various resources before submitting a properly formatted and self-authenticated report of the Intellectual Property (IP) infringement about which he was complaining. Nice one, Softlayer. If you don't like the question, pretend it was a different question.
I've also just read here company that apparently declined to take action against a site responsible for internet abuse because it belongs to a paying customer.
"It's a very very … mad world…"
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, ESET