2010 opens with a phishing
surprise for PayPal users. The mechanism behind it is simple and it aims two
targets in one go: PayPal account and credit card information.
First comes the fake official
PayPal e-mail, which urges users to confirm their e-mail address and credit card
information as part of a supposedly “innovative” means of monitoring “inactive
customers” and “non- functioning e-mail boxes”.
As usual, social engineering
ingredients come in handy in this kind of messages. In this case, there are two
elements which emphasize the urgency of the matter: a restriction and removal
warning and a clear deadline, January 12.
If the reference to credit card
information in this context does not ring an alarm bell, gullible users will
take the second step of the furtive procedure and they will log in to their
PayPal accounts. And that’s a first strike, as the user name and password are
typed on a fake PayPal page.
The third and final step takes
users to a page where they are supposed to fill in various personal
information, all in the name of standard security maintenance procedures: name,
address, credit card number and the like. If the request to provide the credit
card’s ATM PIN, strategically placed last, does not raise any suspicion, the
deal is sealed.
Once again, standard preventive measures will keep PayPal
users safe from harm:
- Make sure you always activate or turn on your antiphishing
or phishing filter, as well as any other security applications or suites before
browsing to your e-banking account. Ideally, you should install, activate and
update a reliable security solution.
the URL of the page you are on, especially if you are required to fill in
credit card information.
- Make sure that the e-banking Web site uses SSL encryption
(Secure Socket Layer) and security authentication methods – look for the
“https” prefix and the locked padlock. If you are requested to accept a
certificate for the session, check that the name on the certificate matches the
name of the institution you wish to deal with and that the certificate is
signed by a known Certificate Authority such as ThawteTM or VeriSign