Over the past couple of days, I've received some e-mail messages purporting to be from PayPal. Each message claims that I've added an e-mail address (a different e-mail address in each message) to my account, and gives a link that I can follow to verify that I did, indeed, add the given e-mail address.
Being inherently suspicious, I checked out the link without following it. The first hint of suspicion is that the underlying href for the link doesn't point to PayPal's web site. Rather, it points to a numerical IP address (e.g. 18.104.22.168).
So, I fired up ARIN's Whois database, and entered that IP address. Turns out that the including range of IP addresses (22.214.171.124 through 126.96.36.199) is administered by the Asia Pacific Network Information Centre. PayPal's web addresses (which begin with 64.4) are administered by Network Solutions in California. Moreover, according to APNIC, this IP address range isn't registered in the ARIN database.
Lastly, I headed over to the PayPal web site, logged in, and checked my profile. No new e-mail addresses; just mine.
So, it looks like someone's phishing for PayPal account login credentials, and people are being redirected to a bogus web site that looks like PayPal's web site yet isn't.
All of this reminds me of a problem with security on Mac OS X. Just like web sites, dialog boxes can be spoofed. This includes the dialog box that prompts for an administrator's password when you install new software. While no one has, to the best of my knowledge, exploited this weakness, it's possible for someone to implement an installer that looks exactly like the standard installer yet squirrel's away your administrator credentials. One way or another, convenience always compromises security.
For those of you who are paranoid like me, there's a two-stage workaround for this vulnerability. The first stage is to never run your regular account as an administrator. If you are running as administrator, then follow these steps:
The second stage is to think up a separate password for the administrator's account to be used during software installs. Then, before you install a new piece of software, switch to the administrator's account and change the password to your "install" password. Then install the software. After the installation completes, switch back to the administrator's account and change the password back to the day-to-day password. That way, even if someone implements some kind of spoof, the password it harvests won't work.
Now, you certainly don't have to be as paranoid as me, but, should someone ever come up with an installer spoof, I won't have to say, "I told you so."
Currently playing in iTunes: Dance Sister Dance by Santana
Update: Since posting this, I've received another phishing message regarding PayPal. This one said:
We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address and we have reasons to belive that your account was hijacked by a third party without your authorization. If you recently accessed your account while traveling, the unusual log in attempts may have been initiated by you.
This one, too, had a link where I could "correct" matters, but the link contained another suspicious IP address (though not the same as the one above). Note, also, the language of the above paragraph; that it says nothing about whether or not the attempts were successful.
This is about as sleazy as it gets.