sorinmustaca.com – Sorin Mustaca – personal blog. Security software, agile development, scrum, programming and more

I received from the CompTIA Smartbrief newsletter a notification about an interesting article: PayPal security guru: No one is safe from threats

This is the article PayPal security chief on Epsilon breach and more written by Elinor Mills of Cnet.

I agree with most of the comments of Mr. Barret until this one:

Q: Is phishing still the bane of PayPal and its customers?

Barrett: I joined PayPal almost exactly five years ago and it’s fair to say the company had not realized at that point the true significance of phishing. But since that time we’ve put in place a number of defenses against it. It probably will never go away completely as a problem, but it can be substantially minimized.

We’re at No. 8 on a list of most phished sites, which is better than being No. 1.

I’m not satisfied with being No. 8 and I’d really like to obliterate the crime completely, but I realize that will take another five years to get to that state.

Ohoooo…..Wow….
Mr. Barret, please wake up….
You’re dreaming, and in this dream, Paypal is actually no longer no. 1 in the top of the most phished brands.
In my top in the cruel world, Paypal takes and holds the lead with over 40% of the phishing attacks and the rest of the brands are somewhere at 10% and below that.

Please read the statistics which Avira and other vendors are producing.
Even they are not identical, you will see that PayPal is always in top 3 if not even the first one.

PayPal security warning email with malware

There is a new wave of emails pretending to come from Paypal having a ZIP archive attached.
The email says that your PayPal account have been accessed by a third party and, in order to protected your account, PayPal has been locked.The user is invited to review the report attached to the email, the zip archive, containing a single executable following the template account–report.exe

There is no link inside the email, so everything was made “easy” the user : he should only extract the file and execute it.
Please don’t because it contains a malware detected by all Avira products as the dropper DR/Delphi.Gen.

Project Honeypot published this nice article which contains all kind of data and graphics here:
1 Billion Spammers Served

All nice and shiny, but I have a problem with this graphic:

Notice that PayPal is about 1% …

Our data, gathered by the URLCheck service, gives us completely different numbers:

So, don’t believe everything what you see…

John Graham Cumming is maintaining his Spammer’s Compendium and he is giving names to spam techniques.
I reported some time ago one technique used in PayPal phishing emails and he created a method: Cross your fingers and click (UH!Mustaca!HTML)

What: Making what looks like a valid link to PayPal turn into a link to a phishing site using a FORM and a cleverly constructed INPUT tag.
Date added: June 30, 2006
Example from the wild:
(Reported by Sorin Mustaca)

Subject:PayPal & eBay
From:”PayPal”
Date:Thu, 6 Jul 2006 04:36:34 -0700
To:undisclosed-recipients:;

This e-mail is the notification of PayPal Become One With eBay.
We’re excited about this change because it allows us to offer you:
* Easier access to all your account information* Enhanced Online Bill Payment

* Transfer balances online

* Mass Payment allows anyone to send multiple payments instantly-saving time,
money and the hassle of having to individually send funds to every payment recipient and others.

You won’t need to do anything to prepare for the move, just continue logging on to
PayPal account by access the link bellow :
https://www.paypal.com/cgi-bin/webscr?paypal&ebayThis notification expires July. 15, 2006
Note : Ignoring this message will cause losing the account .
Thank You PayPal & eBay Company