July 13, 2006
I had the dubious honor of receiving my first spoofing (or phishing) message today. The sender purported to be a representative from PayPal requesting that I “restore” my account following “unusual recent charges.” Though I am a current PayPal customer, I realized quckly that the message was phony after observing that the link text, which stated the address of a real page in the PayPal domain, was actually linking to a fabrication on the spoofer’s own server. It’s a trivial trick to pull off. Take the following link: http://www.paypal.com/login.php. The text would make you believe that the destination lies on PayPal’s site, but in fact it leads back to this posting. Scary, no?
After forwarding the message to the real PayPal’s handy abuse address (firstname.lastname@example.org) I took a look at the site–which has already been taken down, it seems–to see how well it matched the real thing. Aside from the text in the address bar, it was virtually identical to the actual PayPal login page; even the links worked properly (though their destinations were genuine).
It gets worse.
Entering a bogus email (email@example.com) and password (12345), I was shown a recreation of the “login processing” screen and then presented with another slickly created form for “re-entering” my credit card information. Were I a less savvy Web user, things could easily have gone very badly for me here. Paypal is quite good about letting customers know that the company will never ask for passwords and to always make sure to login from the home page (paypal.com), but with fakes as convincing as I encountered, it’s no wonder such schemes are so successful. Readers, be on your guard.
–D. S. W.