[cryptography] Paypal phish using EV certificate

Erwann Abalea eabalea at gmail.com
Tue Aug 13 06:33:02 EDT 2013

The serial number you find in the subject of an EV certificate is the
registration number of the company (Paypal Inc, in Delaware). There's
absolutely no problem in having different certificates with this repeating
serial number (in the subject), as long as they are delivered to the right
company. What MUST be unique for a CA is the serialNumber of the
certificate (the first element of the TBSCertificate structure, outside the

Looks like paypal-communication.com is a legit domain owned by "Paypal,

2013/8/13 wasa bee <wasabee18 at gmail.com>

> given the images seen on the links, both certs are signed by the same
> entity (i cannot see the pubKey ID but issuer names match), yet have the
> same serial number 3014267. Isn't the (serial number + issuer pub key
> identifier) supposed to be unique and identify a cert uniquely?
> is it common practice for a CA to issue different certs (even to the same
> entity) with the same serial number?
> On Tue, Aug 13, 2013 at 10:25 AM, Jeffrey Walton <noloader at gmail.com>wrote:
>> On Tue, Aug 13, 2013 at 5:10 AM, Peter Gutmann
>> <pgut001 at cs.auckland.ac.nz> wrote:
>> > I recently got a another of the standard phishing emails for Paypal,
>> directing
>> > me to https://email-edg.paypal.com, which redirects to
>> > https://view.paypal-communication.com, which has a PayPal EV
>> certificate from
>> > Verisign.  According to this post
>> > http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be
>> a
>> > phishing attack (no-one's really sure), and this post
>> > http://www.linuxevolution.net/?p=12 says it is a phishing attack and
>> the site
>> > will be shut down by Paypal... back in May 2011.
>> >
>> > Can anyone explain this?  It's either a really clever phish (or the CAs
>> are
>> > following their historically lax levels of checking), or Paypal has
>> joined the
>> > ranks of US banks in training their users to become phishing victims.
>> If that's true, I think the more interesting fact is: it appears
>> email-edg.paypal.com is controlled by the attacker. Why else would
>> Paypal redirect from a host in their domain to a host not in their
>> domain controlled by the adversary? (Its a bit different than standard
>> phishing training where both hosts/domains are controlled by Paypal).
>> Has Paypal fess'ed up to any break-ins or  breaches?
>> Jeff
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130813/e78b9ec1/attachment.html>

More information about the cryptography mailing list