[cryptography] Paypal phish using EV certificate

wasa bee wasabee18 at gmail.com
Tue Aug 13 06:08:49 EDT 2013


given the images seen on the links, both certs are signed by the same
entity (i cannot see the pubKey ID but issuer names match), yet have the
same serial number 3014267. Isn't the (serial number + issuer pub key
identifier) supposed to be unique and identify a cert uniquely?
is it common practice for a CA to issue different certs (even to the same
entity) with the same serial number?



On Tue, Aug 13, 2013 at 10:25 AM, Jeffrey Walton <noloader at gmail.com> wrote:

> On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann
> <pgut001 at cs.auckland.ac.nz> wrote:
> > I recently got a another of the standard phishing emails for Paypal,
> directing
> > me to https://email-edg.paypal.com, which redirects to
> > https://view.paypal-communication.com, which has a PayPal EV
> certificate from
> > Verisign.  According to this post
> > http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a
> > phishing attack (no-one's really sure), and this post
> > http://www.linuxevolution.net/?p=12 says it is a phishing attack and
> the site
> > will be shut down by Paypal... back in May 2011.
> >
> > Can anyone explain this?  It's either a really clever phish (or the CAs
> are
> > following their historically lax levels of checking), or Paypal has
> joined the
> > ranks of US banks in training their users to become phishing victims.
> If that's true, I think the more interesting fact is: it appears
> email-edg.paypal.com is controlled by the attacker. Why else would
> Paypal redirect from a host in their domain to a host not in their
> domain controlled by the adversary? (Its a bit different than standard
> phishing training where both hosts/domains are controlled by Paypal).
>
> Has Paypal fess'ed up to any break-ins or  breaches?
>
> Jeff
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130813/c4fc73b7/attachment-0001.html>


More information about the cryptography mailing list