by Playfuls Staff |
18th June 2006
According to Netcraft, a security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. [more]
Netcraft reports that the scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.
When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page.
At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site – and why would he expect PayPal to redirect him to a fraudulent web site?
Paypal has now addressed this vulnerability. A company spokesman said Paypal is working with the Internet service provider that hosts the malicious site to get it shut down, and does not yet know how many people may have fallen victim to the scam.
