'Tis the season to be careful. That should be no surprise. Given that the online holiday shopping season is peaking, cybercriminals would be expected to ramp up their efforts as well.
But it might be a bit surprising -- not to mention depressing for security evangelists -- that one of the oldest and typical scams aimed at online buyers is still successful: PayPal email phishing.
Paul Ducklin wrote this week on Naked Security that Australian PayPal users are being targeted. But there is also word of the same thing happening in Ontario, Canada.
It won't stop there. Chester Wisniewski, a senior security adviser at Sophos, noted that PayPal is used worldwide."It is a global phenomenon. These guys are equal opportunity exploiters," he said.
Even though the scam is common, Wisniewski said it remains successful. He said nobody but the criminals know just how successful they are, however. "Scams that aren't working die quickly, so we can assume that these must work quite well considering the frequency that we see them," he said.
Fred Touchette, a senior security analyst at AppRiver, said that "most victims shy away from admitting their losses except to perhaps their banking institution when attempting to recover their loss."
And even if the number is relative small, phishers have succeeded, said Catalin Cosoi, chief security researcher at Bitdefender. "Attackers don't need high rates of success, as phishing is just like handing out leaflets in the mall," Cosoi said "If one gets two or three customers out of every 100, mission accomplished."
The scam is by now familiar not just to security experts but to any reasonably savvy Internet user. It starts with a somewhat credible-looking email with the PayPal logo "acknowledging" a payment for something that the intended victim didn't buy. It provides an embedded link inviting the recipient to click on it to dispute the charge.
"And that's the ploy, of course," Ducklin wrote. "Hovering over the 'Press here to cancel this payment' link should be enough to reveal the bogosity. You won't be sent to PayPal but to a lookalike impostor site that helps itself to your login details."
Click on the bogus link and the criminals will steal your identity.
Wisniewski said he believes the primary victims of the scam are less savvy Internet users, whether that be old, young or simply not technical. But anyone can get stung by the social engineering. "Sometimes more tech-savvy people fall victim as well when they don't think things through before they click," he said.
[See also: Phishing - the basics]
Touchette said the season makes the scam more successful. "Many people are waiting on what are often multiple purchases to arrive from multiple sources, and may be eager to read any sort of notification about said purchases. This can really bring one's guard down," he said.
Wisniewski said his own mother, who lives in Michigan, "actually clicked one of these things last month. Thankfully Sophos Anti-Virus picked up the payload -- a Zeus banking Trojan in this case."
By now, the advice on how to avoid such scams ought to be familiar too, but given its success, it bears repeating. PayPal itself has a list of warnings and advice on its website, including a "challenge" to customers to find out how much they know.
But there are some general rules about unsolicited emails, including:
Don't click on a link embedded in an email. Go to the vendor's website and log in from there.
Failing that, before clicking on any link, at least hover over it to check the site's web address (URL). Larry Magid at the Huffington Post notes that, "if it's Sears, for example, make sure it's really Sears.com and not something like Sears.somethingelse.com." Also check the spelling -- scammers frequently register a site with a single letter different from a legitimate site.
A legitimate PayPal email will never ask for a full name, password, driver's license number, Social Security number, credit and/or debit card numbers, PIN numbers or bank account numbers. Don't provide them.
A legitimate PayPal email will also never contain an attachment or software update. An email with those will likely contain spyware or a virus.
Beyond those, Touchette said users should not assume that because they're somewhat savvy that they are invulnerable. "Knowing that scams exist and that anyone can be a victim, provides a gentle reminder that the, 'It will never happen to me' attitude can be dangerous," he said. "A little vigilance goes a long way."
Cosoi added that online shoppers should not use their primary personal email. "Use a dedicated email address for sensitive operations such as registering for accounts with payment processors," she said. And one last bit of advice: "Last, but not least, use a solid antispam solution."