PayPal fixes phishing hole

PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, the payment service said Friday.

By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea, a representative for the service said. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site.

At the malicious, information-thieving Web site, people are asked for their PayPal login information, experts at Netcraft, an Internet monitoring company in England, said in an advisory. Subsequently, the scammers are urged to enter their Social Security number and credit card details, Netcraft said.

"As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," Amanda Pires, a PayPal spokeswoman, said in an interview.

PayPal, a unit of online auctioneer eBay, is working with the Internet service provider that hosts the malicious site to get it shut down, Pires added. The company has no information on how many people may have fallen victim to the scam, she said.

[directorblue]

When will PayPal and other financial firms require stronger authentication?

Many forms of stronger auth exist, without forcing vendors to pay for two-factor. One example is captcha-based authentication described here:

http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html

In addition, SSL for all transactions is an absolute requirement. Another is communication plans that utilize webmail hosted on the financial website only (i.e., no direct communications through an email channel).

[lonny paul]

C'mon guys

PIN ##s - are the only way to go with Credit Cards. I mean, it's retarded we don't have them already for in person use - even though a biometric reader integrated into my Toshiba Libretto is the real future.

Why not biometrically scan our fingerprints?

Guess they don't want a rush of "finger" choppings?

[westrajc]

Find The Phishers and "Sanction" Them!

Enough! Find the phishers and "sanction" them! These people are the 21st Century version of 18th Century pirates. That scourge was eliminated by hunting them down, bringing them swiftly to trial, hanging them and displaying their rotting corpses for all other would-be pirates to see. Let's do the same with these bastards with the added touch of displaying their corpses on the Internet!

[billstewart]

When will Paypal use SPF or equivalent email protection?

It's nice that they found and fixed a bug. But 99.9% of the email I get purporting to be from Paypal or EBay is spam that *doesn't* come from Paypal/EBay's mail servers. When will they enable SPF so my mail client or mailbox service can discard it without bothering me with it? (Or if not SPF, then Microsoft's or somebody else's DNS-based email source verifier - I don't really care whose.) Digital signatures are nice too, but I want to discard most of the obvious forgeries first, and it's only about 1 step above a no-brainer to implement.