Posted on February 25, 2020 at 4:25 PM

Hackers Abusing PayPal Accounts, Make Mass Unauthorized Payments

Recent reports reveal that hackers are exploring a vulnerable bug at PayPal’s online platform. According to the reports, the vulnerability allows hackers to carry out illegal transactions. The vulnerable bug is seen within the Google Pay integration of PayPal, as it allows hackers to illegally order products online and incur unauthorized charges.

The bug and exploitation was discovered when some PayPal users reported some irregularities in their payment history. But it appears most of the affected users are German users.

Based on testimonies and various screenshots the victims provided, most of the illegal transactions are carried out at specially target stores.

Estimated damage

Some PayPal users have reported a loss of funds from their PayPal accounts. While some users lost a few hundred euros per account, some have reported tens of thousands of euros in a single transaction. In February last year, some security researchers reported the vulnerability to PayPal. However, the online payment platform was not able to fix the bug. Now, PayPal has stated that it’s investigating the situation and would let the public know of its findings as soon as possible.

 Users started noticing some irregularities in their transaction history since Friday last week. Some of the PayPal users immediately contacted PayPal as they started seeing some strange transactions appear in their PayPal history through the Google Pay account.

The users have also reported the issues on several platforms, including Twitter, Reddit, Paypal’s forums, as well as both Google’s German and Russian support forums.          

A Google spokesman declined to comment on the situation. However, Paypal said it’s presently investigating the situation and would clear the air about the attack very soon.

Affected Bug could be linked to earlier discovered bug

In a message on Twitter, Markus Fenske, a German security researcher, opined that the illegal transactions people have reported over the weekend appear to be related to a bug he pointed out to PayPal barely a year ago. He said he and fellow researcher Andreas Mayer informed PayPal about the bug in February last year. However, it seems the company did not prioritize fixing the bug.

I think we can disclose it by now.

Issue: PayPal allows contactless payments via Google Pay. If you have set it up, you can read the card details of a virtual credit card from the mobile, if the mobiles device is enabled. No auth.

— iblue (@iblueconnection) February 24, 2020

Fenske also revealed that the main problem stems from the fact that when a user links PayPal to his Google Play account, PayPal generates a virtual card with a different card number, CVC, and expiration date.

According to him, when the user decides to make virtual payments via his PayPal account, the transaction is charged through his virtual card.

“If the virtual card was locked to POS transactions only, there would be no issue, but PayPal allows this virtual card to be used for online transactions,” said Fenske.

Fenske now thinks hackers have maneuvered their way to know the details about the virtual cards, and are utilizing these details for unauthorized online transactions.

An attacker could get hold of virtual cards in three ways

Fenske said that a hacker or attacker could get hold of virtual cards in three different ways. First, they can guess the details. Second, they could use malware that infected users’ devices. Thirdly, they could read the card details of the user through the users’ screen or phone.

He also added that CVC is not relevant in the details because any could be accepted.

The main information is something the attacker has worked on for a long time. He pointed out that it’s almost a year from the time he and his fellow researchers reported the vulnerability till now. That’s enough time for somebody to figure out a lot of things about users’ accounts, and the bug vulnerable bug made their job easier.

The real cause of attack not known yet

Fenske and his colleague are still insisting that even if the details of the attack fit the description of a bug they discovered last year, they are still not sure what’s the main cause of the attack.

On a similar note, PayPal started its investigation into the situation, especially the unauthorized use of user’s details to pay for goods and services online. The company is still investigating whether there is a connection between the bug last year and the current one.

A PayPal spokesperson said the main goal of the company is to protect the accounts of its customers. He said the company is reviewing and accessing the situation as well as the information to make sure customers’ best interest is protected.