"The scam works quite convincingly, by tricking users into accessing a
URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt
information transmitted to and from the site, and a valid 256-bit SSL
certificate is presented to confirm that the site does indeed belong to
PayPal; however, some of the content on the page has been modified by
the fraudsters via a cross-site scripting technique (XSS)."
Article Link: http://news.netcraft.com/archives/2006/06/16/paypal_security_flaw_allows_identity_theft.html
