June 16, 2006 4:12 PM PDT

PayPal fixes phishing hole

PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, the payment service said Friday.

By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea, a representative for the service said. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a "phishing" Web site.

At the malicious, information-thieving Web site, people are asked for their PayPal login information, experts at Netcraft, an Internet monitoring company in England, said in an advisory. Subsequently, the scammers are urged to enter their Social Security number and credit card details, Netcraft said.

"As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," Amanda Pires, a PayPal spokeswoman, said in an interview.

PayPal, a unit of online auctioneer eBay, is working with the Internet service provider that hosts the malicious site to get it shut down, Pires added. The company has no information on how many people may have fallen victim to the scam, she said.

See more CNET content tagged:
PayPal, phishing, scam, flaw, eBay Inc.


Join the conversation!
Add your comment
When will PayPal and other financial firms require stronger authentication?
Many forms of stronger auth exist, without forcing vendors to pay for two-factor. One example is captcha-based authentication described here:

<a class="jive-link-external" href="http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html" target="_newWindow">http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html</a>

In addition, SSL for all transactions is an absolute requirement. Another is communication plans that utilize webmail hosted on the financial website only (i.e., no direct communications through an email channel).
Posted by directorblue (148 comments )
Reply Link Flag
PayPal doesn't even have an age check!
So many freaking kids used their parent's credit card to buy stuff and then the parent chargeback! PAYPAL NEEDS COMPETITION FROM GOOGLE!
Posted by tony_z (32 comments )
Link Flag
... or smarter email
If PayPal really wanted to make identifying them as the legitimate company from phishing scams, they would make the step to email that authenticates. Yes, it would mean customers would have to install the software to access the email, but there are simple solutions available that make downloading no more difficult than getting an IM account. PayPal themselves would only have to buy licenses for them to send the emails, customers access them for free. Secure, authenticated, and inexpensive.

I think it's time for companies like PayPal, Ebay and your average credit card company to start requiring this from the customers, for their own protection.

<a class="jive-link-external" href="http://www.essentialsecurity.com/" target="_newWindow">http://www.essentialsecurity.com/</a>
Posted by 209979377489953107664053243186 (71 comments )
Link Flag

I am just starting up my online store, and am exploring ecommerce providers. I came across SWREG. They have new pricing for 0% (http://usd.swreg.org/zeropercentecommerce.htm). Has anyone used them, the features offered make it pretty interesting.

Posted by jetter99 (4 comments )
Link Flag
C'mon guys
PIN ##s - are the only way to go with Credit Cards. I mean, it's retarded we don't have them already for in person use - even though a biometric reader integrated into my Toshiba Libretto is the real future.

Why not biometrically scan our fingerprints?

Guess they don't want a rush of "finger" choppings?
Posted by lonny paul (52 comments )
Reply Link Flag
Find The Phishers and "Sanction" Them!
Enough! Find the phishers and "sanction" them! These people are the 21st Century version of 18th Century pirates. That scourge was eliminated by hunting them down, bringing them swiftly to trial, hanging them and displaying their rotting corpses for all other would-be pirates to see. Let's do the same with these bastards with the added touch of displaying their corpses on the Internet!
Posted by westrajc (78 comments )
Reply Link Flag
A little Islamic Law?
Cutting off their hands perhaps? No more coding.
Posted by Gromit801 (393 comments )
Link Flag
If it were only so easy...
I completely agree, phishers/pirates/thieves whatever you call them these days need to be taken care of. They are now targeting civilians and making them seem personally responsible because they were not careful enough in giving out their Social Security/Credit Card etc. These pages are so difficult to identify because it is not an everyday task to check every little detail of a web page to make sure it is legitimate.

Phishers are like email hackers, they go about their business so subtly and make the victim (usually helpless individuals) feel utterly guilty about not being too careful. One way to prevent phishing scams is to make sure that you are using an encryption program that lets you identify exactly who sent you the message and for what purpose it was sent. Phishing is one of the most obvious, but widespread forms of identity theft and it seems like people have done minimal to stop it, lets change our ways and spread awareness.
<a class="jive-link-external" href="http://www.techknowbizzle.com/2006/03/anatomy-of-phishing-scam.html" target="_newWindow">http://www.techknowbizzle.com/2006/03/anatomy-of-phishing-scam.html</a>
Posted by Nkully86 (59 comments )
Link Flag
When will Paypal use SPF or equivalent email protection?
It's nice that they found and fixed a bug. But 99.9% of the email I get purporting to be from Paypal or EBay is spam that *doesn't* come from Paypal/EBay's mail servers. When will they enable SPF so my mail client or mailbox service can discard it without bothering me with it? (Or if not SPF, then Microsoft's or somebody else's DNS-based email source verifier - I don't really care whose.) Digital signatures are nice too, but I want to discard most of the obvious forgeries first, and it's only about 1 step above a no-brainer to implement.
Posted by billstewart (12 comments )
Reply Link Flag
i became a victim of a paypal hacked account, to the tune of &1600.00
when I finally got word to GE MONEY BANK, they have a slow process to resolving fraud, when servicing accounts.
The 2 weeks later I received an email from service at PayPay, stating they investigated my request and found no validity in my complaint.
Well, after recovering from absolute anger and fear, I called GE MONEY BANK, they stated, no email was authorized from PayPal, that investigation had not even gotten me the paperwork. It was stated that at no time does PP ever send out emails of this sort.
Going on line alerted me to the site being inveastigated. SI I GUESS I HAVE TO WAIT FOR THE PAPERWORK AND REALLY SET UP SOME SECURITY PEREMETERS.
Posted by cjin (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.