[ISN] PayPal mistakes own email for phishing attack

From: InfoSec News <alerts_at_private>
Date: Mon, 7 Dec 2009 01:38:41 -0600 (CST)
http://www.theregister.co.uk/2009/12/04/paypal_phishing_false_alarm/

By John Leyden
The Regiser
4th December 2009

Banks and financial institutions are fond of lecturing customers about 
the perils of phishing emails, the bogus messages that attempt to trick 
marks into handing over their login credentials to fraudulent sites. Yet 
many undo this good work by sending out emails themselves that invite 
users to click on a link and log into their account rather than going a 
safer route and telling users to use bookmarked versions of their site.

The problems of the former approach are neatly illustrated by a blog 
posting by Randy Abrams, a former Microsoft staffer who is now director 
of technical education at anti-virus firm Eset. Abrams complained about 
the inclusion of a link in an email from PayPal as it looked rather too 
much like a phishing email.

PayPal support staffers responded not by noting that Abrams may have a 
point, which it would consider, but by treating its own email - which it 
acknowledged was "suspicious-looking" - as a phishing attack.

"Not even PayPal support can tell the difference between a legitimate 
PayPal email and a phishing attack," Abrams notes.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Sun Dec 06 2009 - 23:38:41 PST

This archive was generated by hypermail 2.2.0 : Sun Dec 06 2009 - 23:44:28 PST