PayPal and Phishing Continued: Grooming Phish Victims

In view of some of the discussion generated by Randy's blog on PayPal's "confession" of "phishing", it's refreshing to see a straightforward summary of the issue from the estimable Larry Seltzer for PC Mag (see

PayPal's view of the issue seems equivocal. They've gone to some lengths to dismiss this issue as the agenda of a single researcher (sorry guys, but quite a few of us agree with him!), but in the past, PayPal's own communications have warned about clicking on links in emails. For instance:

"NEVER give your password to anyone and ONLY log in at Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."

(That comes from a sample email from PayPal that Andrew Lee and I used in a phishing presentation a couple of years ago: see the Virus Bulletin paper at

While in its own phishing quiz at you'll find statements like these:

"All URLs can be faked. Always open a new window and type the address into the browser."

"Always log into PayPal by opening a new browser and typing in the following: If a URL looks suspicious, don't click it."

Isn't that pretty much what Randy said?

It seems that it's not only PayPal that isn't too careful about sending appropriate responses. A friend of ours tells us that he advised a hosting company that a site they hosted was not only owned by a botmaster, but serving up exploits via a hacked website.

They responded with a snottogram telling him to review various resources before submitting a properly formatted and self-authenticated report of the Intellectual Property (IP) infringement about which he was complaining. Nice one, Softlayer. If you don't like the question, pretend it was a different question.

I've also just read here  company that apparently declined to take action against a site responsible for internet abuse because it belongs to a paying customer.

"It's a very very … mad world…"

Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled):
ESET Threatblog notifications on Twitter: (or @ESETblog)
ESET White Papers Page:

Securing Our eCity community initiative:

Also blogging at:

Author David Harley, ESET

Follow us

Copyright © 2015 ESET, All Rights Reserved.