In view of some of the discussion generated by Randy's blog on PayPal's "confession" of "phishing", it's refreshing to see a straightforward summary of the issue from the estimable Larry Seltzer for PC Mag (see http://blogs.pcmag.com/securitywatch/2009/12/paypal_admits_to_phishing_its.php?sms_ss=twitter).
PayPal's view of the issue seems equivocal. They've gone to some lengths to dismiss this issue as the agenda of a single researcher (sorry guys, but quite a few of us agree with him!), but in the past, PayPal's own communications have warned about clicking on links in emails. For instance:
"NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."
(That comes from a sample email from PayPal that Andrew Lee and I used in a phishing presentation a couple of years ago: see the Virus Bulletin paper at http://www.eset.com/download/whitepapers/Phish_Phodder.pdf)
While in its own phishing quiz at https://www.paypal-marketing.co.uk/safetyadvice/TakeTheQuiz.htm you'll find statements like these:
"All URLs can be faked. Always open a new window and type the address into the browser."
"Always log into PayPal by opening a new browser and typing in the following: https://www.paypal.com. If a URL looks suspicious, don't click it."
Isn't that pretty much what Randy said?
It seems that it's not only PayPal that isn't too careful about sending appropriate responses. A friend of ours tells us that he advised a hosting company that a site they hosted was not only owned by a botmaster, but serving up exploits via a hacked website.
They responded with a snottogram telling him to review various resources before submitting a properly formatted and self-authenticated report of the Intellectual Property (IP) infringement about which he was complaining. Nice one, Softlayer. If you don't like the question, pretend it was a different question.
I've also just read here company that apparently declined to take action against a site responsible for internet abuse because it belongs to a paying customer.
"It's a very very … mad world…"
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/