Abbey gets phished 4.5 times as often as PayPal

Have you noticed a downturn in the number of phishing emails you receive from PayPal? If not you should have, or at least receive more from other companies in comparison.

Abbey is now the No.1 phishing target, in the last quarter they attracted 32.99% of all phishing according to anti-spam company ClearMyMail. They were followed by Citibank with 19.15% and NatWest with 11.6%.

PayPal only attracted 7.19% of spam which although still high is considerably less than when the held the No.1 position as a target.

More frightening is the 8,156 phishing emails per person that were received in the first three months of the year. That’s 90 phishing emails per day per Internet user, that has to be filtered either manually or with spam filters.

How do you handle your email spam?

PayPal to block unsafe old browsers

PayPal are to block old browsers in an attempt to improve security. In a white paper discussing anti-phishing measures, the company said, “The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s Internet Explorer 4 or even IE 3.” Unlike more up to date versions of Internet Explorer and Firefox, these browsers do not have any phishing filters. Earlier this year, PayPal advised users of Apple’s Safari to use another browser to access the internet, as Safari lacks crucial anti-phishing features such as a filter for known or potential phishing sites, and visual clues which tell users when they are on a safe site.

In their fight against online fraudsters, PayPal go a step further, proposing that the process of blocking old browsers should be a rolling one, saying that “any Web site that asks for personal or financial information” should warn users who are one release behind the most up-to-date software, and block anyone who is two or more releases behind the times. Currently that would mean anyone using IE5 or earlier blocked from accessing the site.

PayPal comment “in our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.” And as those using older browsers are perhaps likely to be those who know the least about internet security, ensuring they’re using the most up-to-date software to help them is a great move on PayPal’s part.

eBay Germany allows phishers free rein

photo credit: ToastyKen

This week Auctionbytes were given a live demonstration on how phishers can capture eBay user names and passwords.

Falle-Internet.de explained that viewing an auction containing certain code could capture your personal information from eBay, and clicking links could also capture your eBay password.

In the UK all but the most basic types of HTML or Javascript are banned for all users. Germany however has different rules allowing experienced sellers to use more sophisticated code in their auctions. eBay UK told us each eBay country site have discretion on “how to run their business to suit their marketplace” and this includes whether to allow javascript in auctions. In the UK it is not possible to use the offending code, so all UK auctions are safe to view.

Viewing an auction listed on eBay Germany even though you are logged into eBay.co.uk could still allow the malicious code to execute, the only safe way to view these auctions is to block scripts from running in your browser.

Our recommendation for all sellers would be to use a seperate eBay account for buying. If you’re browsing auctions especially from Germany make sure that you’re logged out of your main selling account. That way, if you’re unfortunate enough to have an account hacked, at least it won’t impact your income.

eBay and PayPal phishing slows

According to a report out today from anti-virus vendor Sophos, eBay and PayPal phishing emails have dropped significantly in the past year. A year ago nine out of ten spoof emails were targetting either PayPal or eBay, today it’s down to one in five.

Graham Cluley of Sophos explained “PayPal and eBay users are much less likely to be targeted by virtual muggers, in part due to the efforts the firms have made in educating their customers about what to look out for, and how to protect themselves. The phishers are not turning away from their life of crime, however. They are now turning to a bigger pool of potential victims.”

Whilst eBay and PayPal users are much more aware of phishing emails the fraudsters are simply turning to other companies to target. Smaller credit card companies, online retailers and companies in specific geographic regions are more likely to be the target of phishing today.

HSBC says “No” to PayPal style security keys

PayPal have yet to roll out the PayPal security key worldwide - I picked up mine in Boston at eBay Live! but am still unable to use it in the UK. Now it appears that the two factor authentication (something you know and something you have) may not give the security that was promised.

I wrote about my concerns back in January of this year, two factor authentication was never designed for use on the Internet. Today I’m joined in regarding two factor authentication as flawed by the HSBC Bank.

HSBC have chosen to use what’s known as an out-of-band security solution. Instead of relying on computers and passwords (even if generated by a security key) they will utilise the users mobile phone and a PIN number to authenticate their customers.

HSBC and eBay.co.uk both sponsor the Get Safe Online campaign backed by the government. If HSBC are questioning the efficacy of security keys for online financial applications it may be time to look for new solutions.

Two factor authentication with the PayPal security key would be a welcome bump to online safety in the UK. The big question is, by the time it’s introduced, will the PayPal security key be redundant?

There’s something phishy about eBay

So as I mentioned in the forum, one of my IDs has been made a powerseller this weekend. Sadly my delight at receiving this ultimate eBay accolade has been slightly overshadowed by the frankly phishy nature of the communications I’ve received from eBay.

Firstly, the email has come via - uh - email: there’s not a sign of it in My Messages. Considering that appearance or not in My Messages is supposed to be the yardstick of a genuine communication, this isn’t good. Being the suspicious type I am, I went to the Powerseller Portal and signed up there, rather than using the button in the email. Then there’s the fact that over the last 48 hours, I’ve received three copies of the same email. I know they love me, but I got the message the first time

However, most worrying (and this is what I’ll be writing to Support about today) is the fact that the emails were all addressed to an ID which was changed almost a year ago. If eBay can’t get my ID right, how on earth am I supposed to tell their messages from the phishers’?

So two points in conclusion:

• even if you think it’s from eBay, don’t click the link in the email: go through the links on the site, and
• even if you think it’s phishing, it might sometimes be worth checking out!

Garreth Griffith comes out of hiding

We thought we’d scared Garreth off when we revealed his super-dedication to eBay at the time he launched the Trust and Safety blog. Not so though, he’s come back with avengeance and a new video clip on the Safety Centre home page.

In the video he covers the basics of phishing, how to spot if your account is compromised, and what to do to contact eBay. It’s all pretty basic stuff to a seasoned eBayer but it’s great for new comers to the site.

There’s a second video with tips on Buying Safely on eBay which again is great for newcomers to the site. It gives some basic tips on how to assess a seller and make sure they are trustworthy and the item is the one you want.

It’s refreshing to see a senior figure from eBay in person, even if it is just on video. Too often the company is a faceless behemoth and although each and every transaction is personal to the buyer and seller the marketplace can appear unapproachable.

I’ve just one question though…. Gareth, you began your Trust and Safety blog on the 17th January and still only have one post. Surely something newsworthy has happened in Trust and Safety that you want to share with us?

How to stop phishing emails

According to yougov survey results out today 46% of the UK population don’t have a clue what phishing is. The good news is that only about 2% of UK residents have fallen for a phishing scam, but that 2% equates to millions of people demonstrating why our inboxes are still bombarded with spoof emails.

So what can be done to stop the flood of spoof emails? The first and easiest is if you receive an email that you’re not sure if it’s a spoof or legitimate is to forward it to spoof@ebay.co.uk or spoof@ebay.com. Within minutes you’ll have a reply confirming if your email is genuine or not, in addition if it is a spoof the fake website will be entered into an international database of known scam websites. From then on anyone with the latest browsers will be warned with a red address bar that they’re viewing a spoof site. Also anyone with the eBay toolbar will be warned if it’s a fake eBay or PayPal site. Currently only 5% of people who recognise they’ve received a phishing email forward it to the company it purports to come from alerting their anti-phishing taskforce. The two fold step of identifing new phishing sites and measuring the scale of phishing can only take place if more users forward the spoof emails they receive.

The next important step is the signing of emails with Domain Keys. Companies such as eBay and PayPal have already started to insert a signature which users don’t see within all emails they send to customers. Yahoo are the first ISP to start reading these signatures and will verify that the digital signature is valid and that the email originated from the company it purports to be from. If the domain key doesn’t match the email can be junked as a spoof. More ISPs will start implementing Domain key checking within the next few weeks.

There are also plugins available for many email readers such as Outlook and Outlook Express such as Iconix (which is free!). These programs perform similar checks to those ISPs will perform including domain key verification, and they visually mark emails that are known to be authentic in the users inbox. If an email is not marked it could be a spoof email, especially if it’s from a company whose emails are routinely flagged with the company logo to show when they are known to be authentic.

Spoof and phishing emails won’t disappear over night, but steps are being taken to protect Internet users and stem the tide. The one thing that will stop phishing in the long term is when users stop falling from them. The major incentive is it that only takes a few users each day to fall for a phishing email netting the fraudsters with a couple of hundred pounds - in countries such as Romania that’s well above the average wage so there is a huge temptation to turn to crime.

In the mean time PayPal have some tips on how to spot a phishing email:

eBay was not hacked this weekend

Over the weekend, several hundred eBay listings were edited to include a message saying “To buy the item now email [a gmail address]“. Several hundred accounts were compromised: the scammers used four gmail accounts to target high value items such as cars, hi-fi and jewellery.

There have been some reports stating that the site was hacked, but this is incorrect. Vanessa Canzini (eBay UK’s PR Manager) confirmed to TameBay today that the site itself remained secure. eBay have released a statement to confirm “that the eBay site has not been hacked or compromised in any way” and that the accounts “were compromised and edited after seller password details were obtained via spoof/phishing emails.”

eBay also point out that they “can provide redress in the rare instance that things go wrong, with the payment protection schemes it offers to both buyers and sellers, but this redress can only be provided if people carry out all transactions on the site.” It’s well known that eBay and PayPal are the target of 75% of all phishing activity on the net, so hacked accounts or in eBay parlance “TKO accounts” (TaKen Over), are nothing new. The only notable fact from the weekend’s activity is that the scammers appear to have saved up several hundred eBay account user names and passwords to edit auctions in bulk.

Just how much is your eBay user name and password worth? To anyone who’s had the horror of their account taken over quite a lot. To the scammers surprisingly little. Normally those perpetrating the scams aren’t those phishing for passwords. There’s an open market where phishers sell on account details for pennies.

So what can you do to stay safe? Firstly the eBay site is secure, so if you keep your password secure your own auctions can’t be edited.

• Don’t click on links from email; type in the URL for eBay or PayPal yourself.
• Expect every email to be suspect; it probably will be!
• If it contains important information log into your eBay or PayPal account and you’ll be notified on the site itself.
• Also consider using the eBay toolbar (for Internet Explorer) which will warn if you’re about to enter your eBay user name and password into a non-eBay site.

As a buyer keeping safe is even easier: never ever transact off eBay. If you see something you want to purchase then buy through the eBay site. Pay in a secure manner: either with PayPal, by credit card through the sellers merchant account, or with services such as Nochex. Don’t ever use cash or Western Union: both methods are banned on eBay anyway.

Finally change your password on a regular basis and never change it back to one you used in the past - that way if your account is compromised by the time the scammer tries to make use of it they won’t be able to log in anyway.

Phishing “not significant problem” for Paypal

Paypal’s chief security officer, Michael Barrett, has said that despite the huge number of phishing emails sent trying to trick his customers out of their accounts, the company’s losses to phishers are relatively low.

“Financially, phishing is not a terribly significant problem for us … In fact, I suspect that many of the published figures on phishing’s impact are significantly overestimated, probably by an order of magnitude.”

This may be true, but I suspect that the problems of phishing may be more about perception than actual losses for Paypal. Inexperienced users can become worried and insecure if they frequently receive phishing emails, and that ultimately does no good for either Paypal or eBay. I was recently speaking to a friend who I’d consider to be pretty net-savvy: “I’ve closed my eBay account,” he told me, “I kept getting emails saying I had to update stuff and my account had been compromised, I couldn’t tell if they were real or not, and I couldn’t be bothered with it all, so I closed the account for good.” I wonder how often that happens.

Though Paypal may see “ordinary credit card fraud” and trojans as a bigger threat than phishing, they are taking one very important step towards making phishing attempts more obvious, and educating users in how to avoid them:

“As a company, we’re in the process of eliminating all embedded links in our emails, and there’s no reason why a user should ever have to click on those links. It’s a convenience, but it’s not worth the risk.”

And the sooner they implement that, the better.

PayPal implements EV SLL to combat phishing

PayPal have moved further ahead in the fight against phishing by implementing EV SSL certificate support. SSL has been standard in browsers for some time and stands for Secure Socket layer, the EV stands for Extended Validation. Other browsers are looking to follow, but Microsoft plans implementation by the end of the month for Internet Explorer 7.

PayPal are one of the very first sites to go live with EV SSL certificates, having just released Security devices it’s good to see they’re pushing ahead with more stringent security as well.

The big difference you’ll see with EV SSL certificates is the lock icon (the padlock or key depending on your browser) will be moved from the Status Bar at the bottom of your browser to the address bar at the top (where you type the web address). In addition the address bar will turn green for known safe sites, red for known phishing sites, and yellow for suspected phishing sites.

One issue for the Firefox (Mozilla based) browser is that it already changes the address bar yellow for standard SSL certificated websites. With users trained to associate yellow as “safe”, using it for “Suspect” on IE will take some getting accustomed to and may lesson the security awareness it may have otherwise had. EV SSL support is unlikely to appear in FireFox until version 3.0 is released later this year.

There are also concerns that smaller websites who have been unaffected by phishing attacks will be able to afford certification costs leaving users unsure which sites are secure and which are simply uncertified.

$5 PayPal security key gives false hope to stop phishers

Like many financial institutions, eBay and PayPal are late adopters of security devices for one time passwords. A security device (costing $5 in the US) gives a different security code each time you log into your account. PayPal say it “generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires - no-one else can use it.” Or can they??

These devices have been around for almost twenty years with Security Dynamics (RSA Security) and Vasco being the earliest to market solutions. The eBay PayPal key has been developed in conjunction with VeriSign.

The biggest concern is are the tokens effective in preventing phishing attacks? Well firstly it’s not what they were designed for. They were designed originally for remote access solutions where an employee would dial into a company workplace over a telephone line. Rather than a password that could be written down the token ensured hackers couldn’t dial in to the network with a compromised password. There was little chance of anyone intercepting the dial up phone call. The tokens were then deployed for use internally for all users on a network. Later they migrated outside the network as the Internet became more common for remote users connecting to corporate networks, for online banking, and now for eBay and PayPal.

It’s important to realise they weren’t designed for use on the Internet in the first place, and that hackers have had decades to develop ways to combat the tokens. The actual keys generated are still secure, there is still no effective way to compromise the security codes generated. This doesn’t deter the phishers though - they have other tools in their arsenal.

Man in the middle attack

We’ve all seen phishing emails where a hacker tries to get you to click to a fake eBay or PayPal website and enter your user name and password which they later use to access your account. Smarter phishing sites are becoming more common where the hacker captures your user name and password and instantly uses it to log on to the real site. They pass the information you request to the site and back to you - you may never realise you’re not logged directly into the site, but in the mean time the hacker is able to perform any transaction they please while you make the transaction you logged on to do.

Trojan attacks

Far too few Internet users keep their security up to date allowing virus and trojan attacks. If a phisher manages to install a trojan on your computer next time you log on to eBay or PayPal they can piggy back on your logon to perform their own transactions.

These two methods for bypassing one time passwords are not new - they were reported by Bruce Schneier back in March 2005. What does this mean to the new PayPal and eBay security devices? Well it’ll make the phishers lives harder but so far they’re only available in the US, Australia and Germany, leaving plenty of targets for phishers in the other eBay and PayPal territories. Secondly they’re not compulsory, free for PayPal Business accounts but the $5 cost will put off many users who arguably are the most vulnerable. Finally the efficacy of the tokens themselves has to be questioned. It’s technology that’s been around before most of today’s hackers first logged on to the Internet and was designed for dial up connections to corporate networks. Hackers have grown up looking for ways to render them useless.

It remains to be seen if the promise of security will result in users lowering their guard still further. After all no one can access your account without your token can they? Well possibly they can - users need to be as vigilant as ever. As Blogging stocks ask “Are the days at an end to eBay and PayPal phishing scams?”. Sadly the chances are they’re only just beginning!

eBay shutting down? It’s a hoax

A new hoax email is doing the rounds phishing for user names and passwords. Normally we’d ignore these but this one has an amusing twist and shows the hackers have a sense of humour.

The email states that eBay has decided to close because of “repeated abuses on our company”. It then invites you to vote, asking if you agree or disagree with the decision. It goes on to say that if 50 per cent or more or respondents want eBay to remain open, it will. From then on it’s the normal link to a phishing site which looks like eBay but is a attempt to convince you to enter your eBay user name and password in order to vote.

You have to question how many people would be gullible enough to think eBay would poll users on a decision such as shutting the site down, but doubtless they’ll try to vote anyway. We expect eBay to get the phishing site closed down pronto and to update the eBay toolbar to warn users they’re not on the eBay site.

Catching phish

Michael Sutton’s analysis of Google’s list of suspected phishing sites makes interesting reading, with some shockingly simple tricks still apparently fooling web users.

eBay and Paypal remain top of the phishers’ hit lists, with 47% of URLs listed aimed at either one or other site: looking at my inbox, this isn’t particularly surprising.

What is jaw-droppingly incredible is that Yahoo apparently host Yahoo-phishing sites. Why anyone would put any sort of personal information into a Geocities site is quite beyond me, but as simple subdomains (”http://paypal.scamsite.com/”) seem to work for the phishers, it’s fair to assume that people are still not checking even the basic details as they click on these links.

As Sutton himself says,

Based on all of the sites that I looked at, the majority of phishing scams are less sophisticated than I had predicted. This is however somewhat concerning as simple attacks must still be working and attackers have not been forced to upgrade their skills in order to make a profit.

Via The Reg. via Techspot.

Phlash, argh!

As anti-phishing technology gets better, scammers are working to stay one step ahead. Many current phish detection tools rely on spotting form elements in the page’s HTML code that require passwords, credit card numbers and so on. Crooks have therefore turned to Flash, which can replicate entire webpages undetected by such tools. Examples of this technique, inevitably known as “Phlash”, have already been seen spoofing Paypal’s site.

We can’t say it often enough: don’t click links in emails. If you’re worried about a message you may have received from eBay or from Paypal, sign in to your account via the browser address bar *only*. If they have something they need to tell you, it will be there on the genuine site.

Spam me, eBay, one more time

I know it’s not like me to complain that eBay communicate too much: normally, it’s exactly the opposite. But this week, I’ve had a bunch of communication from them that’s gone beyond pointless, deep into ‘completely infuriating’ territory.

Firstly, we have the “you’ve changed your email” alert. Actually, I have two, because my main email account went down on Friday, came back Sunday, and so I changed to an alternate and then changed it back again. eBay put alerts in My Messages, great. And then they tell me I can’t delete those alerts for ten whole day. WTF? I’ve read the messages, I made the changes, it’s all legit, why do I have to have that stupid red blob at the top of my screen making me think that my seller account is overdue or some buyer has filed for non-something or other? I don’t need it, eBay, I really don’t.

Secondly, there’s eBay’s neat trick to double your spam. For some reason, rather a lot of Chinese wholesalers think that my gothy jewellery-selling ID might wish to invest in their electrical products. In fact, they’re so sure that I should become a customer of theirs that on Christmas Day, they sent me spam ASQs from a dozen different accounts with the same enticing message. I know there’s nothing eBay can really do about spam ASQs; I’ve been getting them for seven years, and I can deal with them. On Boxing Day, I duly clicked the “report” link beside each one in My Messages and grassed them up as spammers. So far, so good.

But then I received back, for each spamming ID, a “Communication Partner Warning” from eBay, informing me that a member with whom I had recently communicated had now been excommunicated from the site. These were not people from whom I’d bought, or to whom I’d sold. They were people who had sent me ONE email, whom I’d reported. And gotten a whole bunch more spam back from eBay as a result. Thanks. Thanks SO much.

Finally, and perhaps least expicable, is the “Notification of Change to my Feedback”:

They obviously liked me because I got fifteen of those messages: musta been a nice big order. But do eBay tell me who it was? Nope, not a clue. So what was the point of that? They don’t tell me who the dodgy buyer was so I can look out for them when they re-register, or suggest that I keep an eye on their Paypal payment as a potential chargeback. Maybe they want to to make phishers lives easier by encouraging clicking of links in emails (which it does - I get this message from phishers too)? Who knows.

Please could someone who designs this rubbish for eBay actually start using the site, get rid of the stupid over-communication when it serves no purpose, and start communicating with users about the things that actually matter.

eBay and PayPal links for hacked accounts

“We will never request their password, account number or credit card number”. Sound familiar? The sort of thing PayPal or eBay would say? Well perhaps, but in this case it’s First Atlantic Federal Credit Union’s turn to warn their customers not to respond to phishing scams. They’re being targeted with offers of $100 to complete a survey.

Phishing is sending spoof emails with the aim of garnering user names and passwords, eBay and PayPal are natural targets as so many people have accounts, you’re unlikely to fall for a spoof from a financial institution if you don’t bank with them anyway.

eBay invest heavily in fraud protection with warnings all over the site. The eBay safety center is full of information security, as Get Safe Online, a joint initiative between the government, the Serious Organised Crime Unit and private sector which eBay sponsor. In addition the eBay toolbar (for IE) will warn you if you enter your eBay user name and password on a non-eBay site.

With Christmas just two days away a host of new users will rush to get online when they open up new computers and laptops. The last thing on their mind will be the possibility of getting scammed. In the event that your eBay account is hacked and taken over there is an eBay Live Help link for hijacked accounts. For help with PayPal in the UK call 0870 7307191 and in the US 1-402-935-2050

The golden rule is never click links in emails and enter your user name and password, always type the URL into your browser yourself and stay safe online.

Cobb phish

As a special holiday gift for my friend Fruity, I’d like to share the lastest phishing email (fifteen copies received this morning). I have been known to say that the sheer volume of eBay phishes are just an indication of eBay’s success, but I’m really not sure what to make of this one:

Click the piccie to read the full, nauseatingly patronising but somehow familiar text.

Poor Bill: I bet he’s really looking forward to the next Town Hall now.

How to stop phishing

F-secure make a very good point in their open letter to domain registrars:

Are you sure you want people to be able to register any domain name? Even when the name is obviously going to be used for phishing? Like, say, somebody is trying to register a .com domain with the words “ebay” and “sign-in” in it? Isn’t it pretty obvious that something might be going on here?

You’d think a filter on the more obvious phishing targets - eBay and Paypal probably being the two biggest - would make sense for everyone.

Phishers on the phone

Phishers are moving from email to the phone to try to steal banking and other personal information. A new batch of emails purporting to come from Paypal give out a telephone number for members to call to verify their data. Other scammers have even missed out the email altogether: victims receive a telephone call out of the blue from someone who knows their credit card number, and wants them to confirm the security code on the back: clearly a way to get around this new security feature in the system.

“Hackers are moving away from the Web and using something victims are more comfortable with: making a call,” said Paul Henry, vice president of technology evangelism at Secure Computing. [I *want* his job title!] “Consumers are programmed to enter in information on the phone. It’s a natural evolution of phishing.”

Callees and email recipients should beware: the phishers are getting more sophisticated. Many phishing emails now contain the recipient’s real name rather than being addressed to “Dear valued customer” or similar. And, ironically, in an attempt to appear genuine, some phishing emails now contain warnings against giving your personal information to unverified parties: that, at least, is something the scammers have got right.