Fraudsters found a new way to trick people into signing in to fake PayPal sites, according to security publication Netcraft. When uncertain about the authenticity of a site, a trust certificate can provide reassurance to would-be visitors – but that can actually work in criminals’ favor. Here’s how.
“In June 2015, Trustwave issued an organisation-validated certificate for paypal-office.com, myaccount-paypal.com and paypal-sign.com that was used on a PayPal phishing site,” Netcraft wrote.
However, it points out, certificates come in three broad categories – and domain-validated certificates simply validate control over a domain name – it does not undergo identity-checking. But the differences between the three certificates is sometimes subtle, the publication explains.
And in the case described, any victims of the PayPal phishing attack would not be able to claim on the certificate provider’s warranty, because while the warranty would cover fraudulent credit card charges made by a Trustwave certificate holder, it would not cover the theft of credentials.
The case is a reminder to online buyers and sellers – and all Internet users – beware of clicking on a link in an email to go to a service that asks you to sign in.