Skip Links

PayPal phishing scams ramp up for holidays

Internet users should not assume that because they're somewhat savvy that they are invulnerable, warns one security expert

By Taylor Armerding, CSO
December 07, 2012 08:05 AM ET

CSO - 'Tis the season to be careful. That should be no surprise. Given that the online holiday shopping season is peaking, cybercriminals would be expected to ramp up their efforts as well.

12 scams of Christmas and how to avoid them

But it might be a bit surprising -- not to mention depressing for security evangelists -- that one of the oldest and typical scams aimed at online buyers is still successful: PayPal email phishing.

Paul Ducklin wrote this week on Naked Security that Australian PayPal users are being targeted. But there is also word of the same thing happening in Ontario, Canada.

It won't stop there. Chester Wisniewski, a senior security adviser at Sophos, noted that PayPal is used worldwide."It is a global phenomenon. These guys are equal opportunity exploiters," he said.

Even though the scam is common, Wisniewski said it remains successful. He said nobody but the criminals know just how successful they are, however. "Scams that aren't working die quickly, so we can assume that these must work quite well considering the frequency that we see them," he said.

Fred Touchette, a senior security analyst at AppRiver, said that "most victims shy away from admitting their losses except to perhaps their banking institution when attempting to recover their loss."

And even if the number is relative small, phishers have succeeded, said Catalin Cosoi, chief security researcher at Bitdefender. "Attackers don't need high rates of success, as phishing is just like handing out leaflets in the mall," Cosoi said "If one gets two or three customers out of every 100, mission accomplished."

The scam is by now familiar not just to security experts but to any reasonably savvy Internet user. It starts with a somewhat credible-looking email with the PayPal logo "acknowledging" a payment for something that the intended victim didn't buy. It provides an embedded link inviting the recipient to click on it to dispute the charge.

"And that's the ploy, of course," Ducklin wrote. "Hovering over the 'Press here to cancel this payment' link should be enough to reveal the bogosity. You won't be sent to PayPal but to a lookalike impostor site that helps itself to your login details."

Click on the bogus link and the criminals will steal your identity.

Wisniewski said he believes the primary victims of the scam are less savvy Internet users, whether that be old, young or simply not technical. But anyone can get stung by the social engineering. "Sometimes more tech-savvy people fall victim as well when they don't think things through before they click," he said.

[See also: Phishing - the basics

Touchette said the season makes the scam more successful. "Many people are waiting on what are often multiple purchases to arrive from multiple sources, and may be eager to read any sort of notification about said purchases. This can really bring one's guard down," he said.

Wisniewski said his own mother, who lives in Michigan, "actually clicked one of these things last month. Thankfully Sophos Anti-Virus picked up the payload -- a Zeus banking Trojan in this case."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News