Search This Blog

Showing posts with label PayPal. Show all posts

Hacker Uses Credential Phishing to Gain Access Into PayPal Account

 

Analysts from Cofense Phishing Defense Center recently found a unique PayPal credential phishing attack. Phishing is a harmful technique that hackers use to steal sensitive information like banking information, credit card data, usernames, and passwords. The actors pretend to be genuine individuals to lure victims by gaining their trust and stealing their personal information. Even worse, the confidential data stolen through phishing attacks can be used for identity theft, financial theft to gain illegal access into victim accounts, or use this account access to blackmail the victims. 

Because credential phishing is generally conducted through a simple URL link, it is easy to ignore exaggerated or subtle tactics that hackers use to steal credentials from innocent victims. As per the experts, the attack isn't very sophisticated and doesn't seem suspicious. Cybersecurity Analyst Alex Geoghagan said that the email may compel the victim to try finding the solution to the problem quickly. The hacker didn't even bother hiding 'from' email address, which was later identified as not actually being from PayPal. But, the e-mail was very well put together and no one would've thought it as a fraud. 

Alex Geoghagan says "There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it." 

After a fake live chat has been accessed, hacker uses automated scripts to start communication with the victims and tries to steal user data, e-mail address, credit card information etc. In other words, hacker takes this information to appear as genuine and store enough information for authentication. Once the information is acquired, hacker tries to steal victim's PayPal credentials. After that, a verification code is sent to target via SMS to make him think an authorised person has access to his device. "This attack demonstrates the complexity of phishing attacks that go beyond the typical “Forms” page or spoofed login. In this case, a carefully crafted email appears to be legitimate until a recipient dives into the headers and links, which is something your average user will most likely not do," says Alex Geoghagan.

Virtual Wallet Users are Being Scammed

 

People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”

PayPal Phishing Scam 2021, Here's How to Stay Guarded

 


Another PayPal phishing campaign attempts to take account logins and other personal data. Noxious individuals are sending clients instant messages warning them that their accounts are permanently "limited" and urging them to sign in and verify their identity and account via a given link. Just as it is run of the mill with PayPal phishing messages, this trick likewise incorporates all the vital parts to deceive clients – a short claim that threatens with the outcome and a phony link that diverts clients to a caricaturing site. 

Cybercriminals abuse clients' inexperience and lack of experience by employing infamous social engineering techniques. They create emails or messages that resemble those from real organizations, which persuades victims to give away their details readily. 

The given hyperlink in the new PayPal phishing campaign diverts telephone clients to a spoofing webpage that appears to be indistinguishable from that of PayPal, however, the web address is observably different. Also, prospective victims are quickly approached to sign in to their accounts. Along these lines, they are diverted to a page where a couple of clarifications on why their accounts have been limited are shown, and they are encouraged to secure their accounts. At that point, PayPal clients see another page where they are approached to give their data, such as complete name, date of birth, and billing address. When clients fill in these details, every one of them is then shipped off to the operators behind the scam. They could utilize them to abuse users' PayPal account, open new bank accounts, or utilize the individual's data for future phishing campaigns. 

On the off chance that you've been fooled into filling these fields, at that point the following steps should be taken to avoid becoming a cyber victim: 

 • Sign in to your PayPal account and change the password right away. 

 • On the off chance that a similar password is utilized for signing in to some other accounts, visit them and change it also. 

 • Inform PayPal regarding such a scam and that you might have got influenced. 

 • To ensure no false accounts are made in your name – issue a temporary freeze on your credit report.

To ensure safe, stay wary of such malicious links and stick to the terms and conditions of the organization. Additionally, please note that PayPal could never send its clients any instant messages or force them to visit and sign in to their system immediately, only cybercriminals operate that way. The organization just sends emails that incorporate such data, and it generally contains a clarification for the constraint.

PayPal Fixes 'High-Severity' Password Security Vulnerability


Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019. 

The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw. 

As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers." 

"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file." 

While giving their confirmation, PayPal put forth that sensitive, unique tokens were leaked in a JS file employed by the Recaptcha implementation. Sometimes users find themselves in situations where they have to go through a captcha quiz after authentication and according to the inference drawn by PayPal, "the exposed tokens were used in the post request to solve the captcha challenge." The captcha quiz comes into play after multiple failed login attempts, that is normal until you come to terms with the fact that " “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validate captcha is initiated.” Although, in order to successfully obtain the credentials, the hacker would be required to find a way of making targeted users visit an infected website prior to logging into their PayPal account. 

While assuring its users, PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”

An Android Malware's Robbing PayPal Accounts!



Security researchers have advised the Android users to keep a check on their PayPal accounts as quite recently, an Android malware has emerged which could easily dodge the security authentication of the application.

Not of late, a case got reported wherein a 1,000 pounds attempt at pilfering the victim’s PayPal account was made.

The attacking cyber-con enters the victim’s PayPal account on their own and easily penetrates the application’s Two-Factor-Authentication (2FA). There’s no role of harvesting login credentials.
 
The users, who have and haven’t activated their Two-Factor-Authentication, are susceptible to this attack alike.

The malware which is reportedly being distributed by a third party, primarily, has the Android’s PayPal app on its radar. Other malware with the same disposition have also been dug out.

By manipulating Android’s Accessibility Services is how the cyber-con behind it all, targets its aim on PayPal.

A researching organization got its hands on the malware which is distributed on third-party app stores and was concealed behind the veil of a battery optimization tool which goes by the name of “Optimization Android”.
Google Play Store has been a part of hearsay because of other malware that have been found on it which possess a similar flair for targeting banking apps.

The aforementioned malware’s key operation is to pilfer money from its target’s PayPal account by initiating a malicious service into the victim’s system.

And to activate this service a request is sent to the victim by the so called bland “Enable Statistics Service”.

If on a vulnerable device the official PayPal is downloaded, the malware would flash a notification to launch it.

The attacker need only wait for the user to log into the app. Once that happens, the “Accessibility Service” would start to impersonate the user’s click and will transfer the money from the victim’s account to the PayPal Address of the cyber-con.

According to the researchers, the attack doesn’t take more than seconds to fall through and in no practical reality can a user stop it in time.


The kind of currency that gets transferred hinges on the victim’s location. The work’s done within a short duration of 5 seconds.
 
The only loophole for the attackers and the only chance at the users’ safety is the kind of balance the victim has. That is, if there is less balance in the account than what the attacker has asked for and no payment cards attached to the account.

Every time the official PayPal application is launched onto the system, the improper “Accessibility Service” gets activated, making the device vulnerable to numerous more attacks.

PayPal has been officially contacted and informed about the erroneous makeup of the application and the risk the users entail.

Five other applications with an analogous disposition to the Optimization Android have been exposed in recent times, on the Google App store.

Rumor has it, that the users with this app already on their ‘downloaded apps’ list have potentially by now entered the trap and fallen prey to the attack.

A few users in Brazil have also come across this unfortunate attack.


Remedies And Advice From The Researchers
·         Keep on checking the application for any fishy transactions. If found, contact the PayPal Resolution Center and report the issue.
·         Keep track of the PayPal account balance.
·         It would really help to change the internet banking and connected e-mail passwords.
·         Try using “Android’s Safe Mode” and try uninstalling the app with the name, “Optimization Android”.
·         Keep your devices updated.
·         Keep a check on what permissions you grant to the application so downloaded.
·         Only use the official Google Play Store App to download other applications.


Android Malware Steals 1,000 Euros In Around 5 Seconds Via PayPal



Another malware discovered in November masked as a battery enhancement application—called Android Optimization is as of late been brought into highlight to have been customized in such a way so as to send 1,000 euros to cyberthieves by means of PayPal in around 5 seconds and all this without the user being able to stop it.

The malware is being circulated by third party applications therefore making it unavailable in the official Google Play Store.

The malware is depicted as one to sagaciously exploit Google's Accessibility Services, intended to assist individuals with disabilities, to trick users into giving the hackers some control of the phone.

After the malware approaches the user for authorization to "Enable Statistics "in the wake of being installed this empowers the cybercriminals to take control of the phone remotely when the user opens certain applications, for the most part some being: PayPal, Google Play, WhatsApp, Skype, Viber, Gmail, and some other banking applications.

ESET researchers found that the malware can demonstrate users overlay phishing pages made to look like legitimate banking applications, or other well-known applications, such as, Gmail, WhatsApp, Skype and Viber, approaching the users for credit card certifications.

 “The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time. The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times.” wrote ESET researcher Lukas Stefanenko in a blog post.

A video by ESET showing how the malware works




Microsoft, Netflix and PayPal Emerge As the Top Targets for Phishing Attacks



Email security provider Vade Secure released another phishing report following the 25 most 'spoofed' brands in North America that are imitated in phishing attacks. Amongst them the top three are Microsoft, Netflix and PayPal.

Out of all the 86 brands that were tracked, 96% of them all were done so by the company as per their Q3 2018 report.

Bank of America and Wells Fargo are not so far behind Microsoft and the other top 2 targets in this case as there has been an increase in these phishing attacks by approximately 20.4% as reported by Vade Secure. As the attackers attempt to access Office 365, One Drive, and Azure credentials their focus has been towards cloud based services as well as financial companies.



Vade Secure's report states - "The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, One Drive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization."

The attackers, through a feeling of urgency endeavor to show that the recipient's account has been suspended or so thus inciting them to login in order to determine the issue, this happens in the case of Office 365 phishing emails. By doing this though they expect for the victims to be less wary when entering their credentials.

Exceptionally compelling is that attackers have a tendency to pursue a pattern with respect to what days they send the most volume of phishing mails. As per the report, most business related attacks tend to happen amid the week with Tuesday and Thursday being the most popular days. For Netflix though, the most focused on days are Sunday because that is the time when users' are taking a backseat and indulge in some quality television.

As these attacks become more targeted Vade Secure’s report further states – "What should be more concerning to security professionals is that phishing attacks are becoming more targeted. When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools."

For the users' however , it is advised to dependably examine a site before entering any login details and if there are any occurrences of the URL seeming abnormal or even something as minor as a language blunders then they should report the issue directly to either the administrator or the company itself.