by Dave Michmerhuizen and Denis Kieft – security researchers
Barracuda Labs researchers have recently seen emails from PayPal Inc. that initally seem to be phish but ultimately appear to be a security fail by a company that surely should know better.
It is a well-accepted email security best practice to never click on links in emails. Most businesses, particularly ones that are phishing targets, explicitly advise their users not to click on emails. As you would expect, PayPal does so on their website.
Consider that warning and then take a look at this email from Paypal, via servers at responsys.net, a software service that allows marketers to manage email campaigns…
The email contains ELEVEN hyperlinks, all pointing to an email response servelet which records your click and then transfers the browser to the PayPal login screen. “At first I was sure it was a phishing email,” commented a Labs researcher who received one of the emails. Although PayPal has declined to comment on the email, close examination shows no malicious content. Instead, this appears to be a case of a Marketing department in need of a little security education.
It's unfortunate that this is the case, because security professionals have been trying to teach good email security practices for years. An email from a bank or online service should be considered suspect by default. PayPal's own advice is the safest advice, always open your web browser and type in the URL you intend to visit – never click on a link embedded in an email.
Given that email is still the primary vector for identity theft and that PayPal is one of the most phished brands on the Internet, we would expect them to be particularly sensitive to this issue. Phishing emails like this one are so common that only a blanket rule against clicking on embedded links can be effective. When PayPal sends out their own emails containing links they confound customers who have been long been told not to click on those very links.
Barracuda Networks customers using the Barracuda Spam & Virus Firewall are protected from phishing emails.