Scammers have been targeting PayPal and eBay users for years using "phishing" emails. These hoax emails trick recipients into visiting spoof sites - sites made to look like sign-in pages of legitimate companies, but are in actuality created by scammers to harvest victims' personal and financial information.

AuctionBytes began reporting on phishing scams in June 2002, and by November 2002, the problem of phishing attacks was well documented. Each time experts gave advice on how to spot a phishing email, the phishers would improve their approach, making the tips less helpful.

Four years later, phishers have grown ever more sophisticated and continue to trick even savvy online users. They first targeted PayPal and then eBay, but then moved on to banks and other financial institutions, ecommerce sites and ISPs. Phishers have learned to take advantage of browser vulnerabilities so users couldn't always tell by looking at the address bar if they were on a legitimate website.

The "good guys," like eBay and PayPal, have worked on educating users, although many - like eBay - still include links to sign-in pages in some emails. They have also developed toolbars that users can install on their computers to help them spot spoof websites, but overall, but the problem of phishing remains a serious one.

One technique that legitimate companies use to help their users avoid falling for phishing emails is to personalize the emails they send to their users, a technique phishers have now learned to exploit. Last week, AuctionBytes reported a flaw on PayPal's website that allowed visitors to determine a PayPal member's full name (http://auctionbytes.com/cab/abn/y06/m03/i24/s00). Recipients receiving personalized phishing emails can be tricked by their air of legitimacy.

PayPal Director of Corporate Communications Amanda Pires said spoof is an issue PayPal takes very seriously. She could not reveal exact details about what PayPal was doing to fight phishing, but claimed the company is leading the industry with innovative technology and resources dedicated to fighting spoof. "PayPal and eBay employ a dedicated team that focuses just on the spoof issue. Additionally, every second of every day and on every single transaction, PayPal applies its advanced proprietary fraud detection techniques and tools to detect fraudulent activity."

According to Rich Miller, an analyst with Netcraft Ltd., a company that provides security services related to phishing (http://www.netcraft.com), eBay and PayPal are two of the most frequently targeted companies for phishing schemes. Miller said the best way for such companies to communicate with users is through dedicated message areas users access after they log-in to the company's site. He said the next best advice for users to avoid becoming victims of phishing schemes is to refrain from clicking on links in emails that lead to log-in pages.

Miller said phishing emails create a sense of urgency. In the early days, typos were often a sign of a phishing email, he said, but phishers have cleaned up their spelling over the years. "Phishers will test social engineering tricks," he said. "If it works, they put the additional effort into refining it. They will spend time to make it look legitimate. The people doing it are professionals."

Miller said he has seen personalized phishing attacks before. Two weeks ago, phishers sent personalized emails with information from a financial services company database they had somehow obtained. The emails linked to a partially pre-filled form online in a further attempt to trick users.

Miller, whose company provides an anti-phishing toolbar (http://toolbar.netcraft.com), said he knows that eBay and PayPal are working very hard at anti-phishing efforts and said it's a constant battle to stay one step ahead - it's the nature of the beast. "eBay and PayPal have a special challenge. They are one of the largest targets with one of the largest audiences to protect."

Recently, attention has turned to the problem of a cross-site scripting vulnerability on eBay. According to a warning issued by US-CERT (United States Computer Emergency Readiness Team) on April 2, scammers are using this vulnerability to redirect auction viewers to phishing sites (http://www.kb.cert.org/vuls/id/808921).

The previous week, Mike Enos of PlatinumPowerseller.com had sent an alert to his readers with a video demonstration of the vulnerability. Note that the following link leads directly to the slide-show presentation with audio (this is a commercial website and, after the slideshow, it leads to a sales pitch): http://www.platinumpowerseller.net/link/link.php?P=2674

So a new bit of advice must be added to the old warning of never click on a link in an email: when navigating a website, beware of pop-up sign-in pages. It may be a "cross-scripting" phishing technique.