WordFence found PayPal wasn't the only one being abused. Fake certificates were being issued to sites pretending to be many popular companies such as Google, Microsoft, and Apple.
Google looks for fake sites, but, according to WordFence, "malicious sites that have been issued valid SSL certificates take some time to appear on Chrome's malicious site list." In short, "while the Safe Browsing project that Google runs does great work, Chrome users can not rely on it to reliably identify malicious sites and throw up a warning."
As WordFence explained: "In Chrome, when you see 'secure' in your browser location bar, it means that the connection between your browser and the website you are connected to is encrypted. ... It does not mean that the domain is 'trusted,' 'safe,' 'not malicious,' or anything else."
In addition, even when a "certificate is revoked once a CA realizes they should not have issued it, we show that Chrome still shows the site as 'secure.'" The 'revoked' status is only visible in Chrome developer tools. You can find it by using Chrome's View > Developer > Developer Tools menu on a suspicious site and then clicking View certificate.
The easiest way to protect yourself from malicious sites is to check your web browser's location bar and read the full web site hostname that appears there. For example, a site that presented itself as an Apple site used the URL: https://secure5.apple.com-shop-account-signin.
The key is to look at the full hostname between 'https://' and before the next forward slash. If the URL continues on after the top-level domain (TLD name, such as .com, .net, or edu) and before the first forward slash, you're dealing with a fake site. Close your browser and never go to the site again.
Google and the CAs know about these problems. Google had no comment on this story, but I'm certain it is working on it. In the meantime, don't just click into a site because it looks secure. Maybe it is 'secure,' but it may not be in the least bit safe.