[cryptography] not a Paypal phish using EV certificate

John Levine johnl at iecc.com
Tue Aug 13 09:25:15 EDT 2013


In article <E1V9Ac6-0005vx-2g at login01.fos.auckland.ac.nz> you write:
>I recently got a another of the standard phishing emails for Paypal, directing 
>me to https://email-edg.paypal.com, which redirects to 
>https://view.paypal-communication.com, which has a PayPal EV certificate from 
>Verisign.  According to this post 
>http://www.onelogin.com/a-paypal-phishing-attack/ it may or may not be a 
>phishing attack (no-one's really sure), and this post 
>http://www.linuxevolution.net/?p=12 says it is a phishing attack and the site 
>will be shut down by Paypal... back in May 2011.
>
>Can anyone explain this?

Sure.  It's Paypal.

If you look at the WHOIS and DNS for paypal-communication.com, they're
the same as paypal.com, with DNS at ISC.  The web page is hosted at
Akamai, who know who their customers are (so they can send them large
invoices.)

If you read the linuxevolution.net post, the guy got the message, and
sent a query to Paypal support.  The person who answered it at 3 AM
Bangalore time sent the canned "thanks for reporting a phish" message
that they send to EVERY SINGLE COMPLAINT, even ones for mail with
paypal.com addresses coming from paypal.com servers.  In sort of
defense, most of the complaints really are about phishes, but I'd
think they would be able to do automation to look for their own
domains and IP addresses and give the staff a hint that this might be
a real one.

I agree that it was not a great idea for Paypal to invent
paypal-communication.com rather than a subdomain of one of their
existing well-known domains such as communication.paypal.com.

R's,
John


More information about the cryptography mailing list