Paypal has gone fishing
Or..Phishing."However, the URL exploits a flaw in PayPal's site that allows the fraudsters to inject some of their own code into the page that is returned, he wrote. In this case, the result is a warning that the user's account may have been compromised, and that they "will now be redirected to Resolution Center." The page to which they are redirected asks for their PayPal account details -- but thanks to the cross-site scripting flaw in the PayPal site, and the data injected into the URL by the fraudsters, the page is no longer on the PayPal site. Instead, the page steals the login details and sends them to the fraudsters' server, then prompts the user for other personal information, Mutton said."
I have received several Paypal emails like the one listed above. I actually used it in training someone on staff here to recognize fraudulent emails. This type of attack is common - yet subtle enough to hide from the everyday user (seemingly the target of the exploit). XSS attacks can cause damage like this, or even things like session fixation attacks or stealing personal information. The best defense against this is to validate your input (see http://www.shiflett.org). I feel sorry for those who feel prey to the attack, and am glad that Paypal has respoded promptly to the exploit - it is just sad that they have taken a reactive approach to their websites security.