PayPal and Phishing Continued: Grooming Phish Victims

In view of some of the discussion generated by Randy's blog on PayPal's "confession" of "phishing", it's refreshing to see a straightforward summary of the issue from the estimable Larry Seltzer for PC Mag (see http://blogs.pcmag.com/securitywatch/2009/12/paypal_admits_to_phishing_its.php?sms_ss=twitter).

PayPal's view of the issue seems equivocal. They've gone to some lengths to dismiss this issue as the agenda of a single researcher (sorry guys, but quite a few of us agree with him!), but in the past, PayPal's own communications have warned about clicking on links in emails. For instance:

"NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account."

(That comes from a sample email from PayPal that Andrew Lee and I used in a phishing presentation a couple of years ago: see the Virus Bulletin paper at http://www.eset.com/download/whitepapers/Phish_Phodder.pdf)

While in its own phishing quiz at https://www.paypal-marketing.co.uk/safetyadvice/TakeTheQuiz.htm you'll find statements like these:

"All URLs can be faked. Always open a new window and type the address into the browser."

"Always log into PayPal by opening a new browser and typing in the following: https://www.paypal.com. If a URL looks suspicious, don't click it."

Isn't that pretty much what Randy said?

It seems that it's not only PayPal that isn't too careful about sending appropriate responses. A friend of ours tells us that he advised a hosting company that a site they hosted was not only owned by a botmaster, but serving up exploits via a hacked website.

They responded with a snottogram telling him to review various resources before submitting a properly formatted and self-authenticated report of the Intellectual Property (IP) infringement about which he was complaining. Nice one, Softlayer. If you don't like the question, pretend it was a different question.

I've also just read here  company that apparently declined to take action against a site responsible for internet abuse because it belongs to a paying customer.

"It's a very very ... mad world..."

David Harley
Director of Malware Intelligence