Study: eBay, PayPal Remain Top Phishing Targets

Despite efforts by eBay and PayPal to stop criminals looking to dupe their customers, a new study shows that the sites remain the prime targets of phishers hoping to steal personal information.

A new study confirms that users of the popular eBay auction site and the online payment company PayPal remain the most popular targets of phishing schemes.

More than three quarters of all phishing e-mails are targeted to the users of eBay and its PayPal subsidiary, according to the report.

The fraudulent e-mails most often attempt to gather personal information including credit card numbers and passwords in the name of ripping off users, said researchers at security software maker Sophos, which has its U.S. headquarters in Lynnfield, Mass.

Of those e-mails, 54.3 percent attempted to steal information from users of PayPal, and 20.9 percent were sent to users of the eBay auction site, the study found.

Despite attempts by companies such as eBay to stop phishers, including the companys browser-based toolbar that promises to help customers identify fraudulent Web pages, the criminals continue to succeed with increasingly realistic-looking e-mail messages and Web sites that closely resemble legitimate eBay and PayPal messages, Ron OBrien, a Sophos senior security analyst, said.

/zimages/6/28571.gifClick here to read more about PayPals latest effort to stop phishers.

In most cases, phishers use e-mails that offer links to fraudulent sites that in turn seek to deliver worm or Trojan viruses in the name of breaking into computers and gathering up as much personal information as possible.

"Its tried and tested bait," OBrien said. "What happens much of the time is that people subconsciously click on the link and then its too late. Now, you have some sort of malware, like a Trojan, on the computer."

Although some researchers have said that the phishing attacks are slowing down, others experts believe that cyber criminals are focusing more and more on specific victims, like PayPal and eBay users, and customers at specific financial service institutions.

The Sophos study indicated that these two sites are targeted primarily because of their popularity and large customer bases.

OBrien also said that these users tend to share information about themselves with others more readily than casual Internet users, possibly based on the community-like atmosphere eBay.

Experts have also noted that these attacks are becoming more sophisticated. There are now schemes involving cross-site scripting and other advanced and malicious techniques.

Using cross site scripting, hackers can load malicious code onto legitimate Web pages to trick users into buying into the schemes.

/zimages/6/28571.gifClick here to read more about the FBIs computer crimes survey.

Despite aggressive efforts by PayPal and eBay to eliminate phishing e-mails, these fraudulent messages still find their way into inboxes, said OBrien.

An earlier Sophos study showed that about 58 percent of users receive one piece of phishing e-mail per day.

After PayPal and eBay, OBrien said the study found that bank customers were the most likely targets of phishing. As of January, 2006, Sophos found about 4,000 different phishing attempts involving banks.

Since then, another 2,000 bank-targeted phishing campaigns have been uncovered by Sophos.

These same type of phishing e-mails can also have a devastating effect on businesses and other government agencies, based on the viruses they carry.

For example, OBrien cited a recent problem with the Zotob worm that affected a federal government agency and appears to have been started by a phishing e-mail.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.