« 419er "Major Negron" Has Apparently Moved On | Main | Validation »

June 30, 2006

At times I get so many phishing messages that I don't bother reading their contents. I simply look through a message's source code for the destination URL, verify it's still active, trace the source of the domain/hosting outfit/IP block owner, report it, and delete the message. I periodically through the day check whether the reported pages have been taken down to help me know which ISPs respond quickly and which don't. (I have to say that Yahoo! domain registration and hosting folks have really stepped up their response lately. Bravo!)

But something caught my eye as I scoured a PayPal phishing message today that caused me to look more closely at the content of the message. Here's a partial screenshot:

I won't even get into the goofy bit about the message supposedly being dated February 2006 and talking about the "upcoming year 2006" and the message being sent on 30 June 2006—it's just too easy a target.

No, what makes this message so insidious is that it will probably convince a recipient that it's legit because it talks so much about how to spot spoofs, how to protect your account, and so on. I could see many a recipient thinking, "A crook wouldn't put so much in a message about detecting crooks." And they'd be dead wrong.

Unfortunately, the items that should be links, like the "New spoof tutorial" heading, are not. But even if they were links to the real PayPal spoof tutorial, I don't think it would matter. All that the recipient would focus on are the bits in red, claiming that unless updated information is provided, the account will be deleted in 72 hours.

The only clickable link in the message (the "Get Verified" link) takes the recipient to a PayPal login lookalike page that has been installed on a hijacked web site in Switzerland. (Unfortunately, it's the site of a Swiss web design firm—one that apparently knows about graphics, but not security.)

From comments I see all around the Internet, I would guess that a high 90-percentile of PayPal (and eBay) users have never read the spoof information that financial sites provide for their customers. The remaining have read it because they were victimized by phishing or some other kind of fraud. The 90-percentile group doesn't want to hear about it.

It reminds me of the incident about six months ago where the Attorney General of Colorado arranged to make a personal appearance at a senior center to show attendees how to protect themselves from the types of consumer and investor fraud perpetrated specifically on senior citizens. I'm not talking about some flunky from his office—the real Attorney General. The grand total attendance at this event: one journalist. But I'll bet that when senior citizens get taken, they just about ram down the AG's door to complain that they're not being protected.

On the subject of online safety, you can't even lead a horse to water until it's dying of dehydration.