EBay & PayPal Phishing Gone For Good On Gmail and Yahoo?

If your email account is with Google or Yahoo, your days of seeing phishing emails from fake eBay or PayPal addresses should be over. Google announced last week that it’s now using DomainKeys to verify messages really do come from paypal.com or ebay.com—if they don’t, they never even make it to your In Box. This is possible because eBay and PayPal are now making sure “that all their email is signed with DomainKeys and DKIM.” Since Yahoo! also uses DomainKeys and DKIM (they developed it, in fact), phishing attacks for Yahoo! Mail accounts should also disappear.

No amount of security will stop a bit of social engineering, but this is a great strike against phishing. Now if only banks would start embracing DomainKeys.

From Google’s Gmail blog:

Now any email that claims to come from “paypal.com” or “ebay.com” (and their international versions) is authenticated by Gmail and — here comes the important part — rejected if it fails to verify as actually coming from PayPal or eBay. That’s right: you won’t even see the phishing message in your spam folder. Gmail just won’t accept it at all. Conversely, if you get an message in Gmail where the “From” says “@paypal.com” or “@ebay.com,” then you’ll know it actually came from PayPal or eBay. It’s email the way it should be.

eBay and PayPal have worked hard to ensure that all their email is signed with DomainKeys and DKIM. Armed with this information, Gmail can easily reject as a fake anything that doesn’t authenticate. We’ve been testing this for a few weeks now and it’s working so well that few people really noticed.

“Fighting phishing with eBay and PayPal” [Gmail Blog]
(Photo: Stryker W@SP)