I’m publishing this in hopes that it’ll be useful.
Consider the paypal phishing case. Someone sends an email citing a reason why you need to Log into paypal to verify your funds. You usually recognize this as a false alert.
Now consider this scenario. You find an item which is extremely well priced, and you want to buy it. It only costs three dollars when it’s actually worth thirty. You click “Buy”, enter your password in the paypal window (which usually is secure), and hope to get your product.
What you might not know is that, this is an ideal case for phishing. Anyone can replicate the paypal page, and a lot of people might not notice before entering their password.
Even worse, the malicious site can open up the page in an internal frame (thereby making it clever and ajaxy looking effect, while effectively preventing the user from seeing the page).
This is just social engineering and I am not aware of such a trick plaguing paypal.
What paypal can do to prevent this is to ask each user to verify “YES! this is the actual paypal address”, before entering the information. If the user doesen’t agree, the transaction is terminated.
0 Response to “A very scary potential paypal exploit.”