Following the receipt of an apparently genuine e-mail from PayPal, users are asked to log in to their account and to provide their credit card information, ATM Pin included, on a fake PayPal web page.
2010 opens with a phishing surprise for PayPal users. The mechanism behind it is simple and it aims two targets in one go: PayPal account and credit card information.
First comes the fake official PayPal e-mail, which urges users to confirm their e-mail address and credit card information as part of a supposedly "innovative" means of monitoring "inactive customers" and "non- functioning e-mail boxes".
As usual, social engineering ingredients come in handy in this kind of messages. In this case, there are two elements which emphasize the urgency of the matter: a restriction and removal warning and a clear deadline, January 12.
If the reference to credit card information in this context does not ring an alarm bell, gullible users will take the second step of the furtive procedure and they will log in to their PayPal accounts. And that's a first strike, as the user name and password are typed on a fake PayPal page.
The third and final step takes users to a page where they are supposed to fill in various personal information, all in the name of standard security maintenance procedures: name, address, credit card number and the like. If the request to provide the credit card's ATM PIN, strategically placed last, does not raise any suspicion, the deal is sealed.
Once again, standard preventive measures will keep PayPal users safe from harm:
•Make sure you always activate or turn on your antiphishing or phishing filter, as well as any other security applications or suites before browsing to your e-banking account. Ideally, you should install, activate and update a reliable security solution.
•Double-check the URL of the page you are on, especially if you are required to fill in credit card information.
•Make sure that the e-banking Web site uses SSL encryption (Secure Socket Layer) and security authentication methods - look for the "https" prefix and the locked padlock. If you are requested to accept a certificate for the session, check that the name on the certificate matches the name of the institution you wish to deal with and that the certificate is signed by a known Certificate Authority such as ThawteTM or VeriSign® before accepting.
•NEVER disclose your PIN to anyone, under any circumstances.
•Avoid using a non-secured computer (like a friend's desktop or job colleague laptop). Still, if you are forced to do so, make sure you at least run BitDefender's advanced scanning on-line tool, Quick Scan, before proceeding.
•Do not check your e-banking account from public computers connected to Internet (like those in a library or Internet Café).