• On MP3.com: Free music videos

June 16, 2006 4:12 PM PDT

PayPal fixes phishing hole

PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, the payment service said Friday.

By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea, a representative for the service said. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site.

At the malicious, information-thieving Web site, people are asked for their PayPal login information, experts at Netcraft, an Internet monitoring company in England, said in an advisory. Subsequently, the scammers are urged to enter their Social Security number and credit card details, Netcraft said.

"As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," Amanda Pires, a PayPal spokeswoman, said in an interview.

PayPal, a unit of online auctioneer eBay, is working with the Internet service provider that hosts the malicious site to get it shut down, Pires added. The company has no information on how many people may have fallen victim to the scam, she said.

See more CNET content tagged:
PayPal, scam, eBay Inc., phishing, flaw

Add a Comment (Log in or register) 8 comments
When will PayPal and other financial firms require stronger authentication?
by directorblue June 16, 2006 5:00 PM PDT
Many forms of stronger auth exist, without forcing vendors to pay for two-factor. One example is captcha-based authentication described here:

http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html

In addition, SSL for all transactions is an absolute requirement. Another is communication plans that utilize webmail hosted on the financial website only (i.e., no direct communications through an email channel).
Reply to this comment View all 2 replies
C'mon guys
by lonny paul June 16, 2006 5:40 PM PDT
PIN ##s - are the only way to go with Credit Cards. I mean, it's retarded we don't have them already for in person use - even though a biometric reader integrated into my Toshiba Libretto is the real future.

Why not biometrically scan our fingerprints?

Guess they don't want a rush of "finger" choppings?
Reply to this comment
Find The Phishers and "Sanction" Them!
by westrajc June 16, 2006 6:14 PM PDT
Enough! Find the phishers and "sanction" them! These people are the 21st Century version of 18th Century pirates. That scourge was eliminated by hunting them down, bringing them swiftly to trial, hanging them and displaying their rotting corpses for all other would-be pirates to see. Let's do the same with these bastards with the added touch of displaying their corpses on the Internet!
Reply to this comment View all 2 replies
When will Paypal use SPF or equivalent email protection?
by billstewart June 22, 2006 2:00 AM PDT
It's nice that they found and fixed a bug. But 99.9% of the email I get purporting to be from Paypal or EBay is spam that *doesn't* come from Paypal/EBay's mail servers. When will they enable SPF so my mail client or mailbox service can discard it without bothering me with it? (Or if not SPF, then Microsoft's or somebody else's DNS-based email source verifier - I don't really care whose.) Digital signatures are nice too, but I want to discard most of the obvious forgeries first, and it's only about 1 step above a no-brainer to implement.
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

Resource center from News.com sponsors
You Need The Speed of Norton 2009
Introducing Norton Internet Security™2009

Click Here!
With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

Click Here!
The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right