Here we go again-another PayPal report from security researchers, warning of a risk to users from thieves. This latest scam has reportedly now claimed thousands of victims and millions of dollars. As tech savvy as you might be, this scam’s devious social engineering twist has the potential to dupe the best of us. Take the advice below, safeguard your accounts, and don’t be next.
The issue has been brought to light by the ever-diligent researchers at CyberNews. The team says it wants to expose security issues that put large numbers of users at risk. A few weeks ago, I reported on their last PayPal research, a “critical login hack,” where an attacker was able to defeat some of the platform’s protections. Between then and now, CyberNews exposed the leak of U.S. online dating data, which put “millions of women at risk.” And now they’re back with another PayPal issue, one that users need to be aware of, to ensure they don’t fall victim.
CyberNews says that most of the fraudsters behind this scam are from the U.S., U.K. or Russia, and that for most of them this scam is now their main source of income. And why wouldn’t it be-the researchers say that a typical attacker can earn $2,500 per day, and operate in packs that can generate as much as $1.5 million per month. Right now, the U.K. appears to be a hotbed for the attacks, given the use of PayPal-but this has no geographical limits. The scam can work anywhere.
Best Travel Insurance Companies
So, how does this scam work? Well, it’s based on the same social engineering risk that I reported on over a WhatsApp account take-over risk in January. That stupidly simple hack involved tricking users into giving up the one-time codes WhatsApp sends when you transfer your account to a new phone. The compromised account would then be used to message WhatsApp contacts installment loans Delaware and request money.
The difference this time is that it’s Facebook itself, not Facebook-owned WhatsApp. The issue with the WhatsApp hack was that an attacker would only see contacts that were part of the same groups as the victim. With Facebook, a full set of contacts can be seen, which makes it much more potent. Beyond that, the hack is the same and any compromised messaging platform can be used to fuel the scam.
Best Covid-19 Travel Insurance Plans
With the Facebook account hacked, an attacker uses Messenger to contact a number of friends, telling each of them that they are owed money but cannot access their own PayPal account to receive it. So, can they have the money sent to this friend’s PayPal account instead, and the friend can then bank transfer it to them? You can see a typical attacker’s pitch in the screenshot below.
CyberNews has provided this explanation as to how the scam works, and an image (below) that shows the process in action.
- One of the victim’s friends has their Facebook account hacked, using stolen login details acquired from the dark web. These credentials are easily acquired given the huge volume of breached data online.
- The attacker sends the victim a message from that hacked account, it will be something like: “I just sold something online and need to get paid, but something is wrong with my PayPal. Can you help me out? They’ll send you the money on PayPal, then you can send it to to my bank account.”
- The victim says okay and provides their PayPal details. Some time shortly afterwards the money turns up in the victim’s account. The victim checks their PayPal statement and can see that the money is there.
- The money has been sent by the attacker, either from an account or card setup with fraudulent details or through a hacked PayPal account.
- With the money received, the victim sends that same amount to their “friend,” using the bank account details provided. In reality, this is the attacker’s bank account, to be used for a few scams and then closed.
- The victim thinks all is okay. But the next time they check their Paypal account, they find that the amount received has been reversed. This is a chargeback, where the sender of the money (the attacker) has asked for it to be reversed using PayPal’s standard systems.
- The victim is unable to do the same with their transfer to the attacker’s account, there is no such safety net with a bank transfer.
- The money makes a number of further electronic hops (to prevent tracing to the endpoint) before it is withdrawn. It is not coming back.
The scam can either involve three victims or just two. The owner of the hacker messaging account is the first victim. The owner of the PayPal account which makes the payment-the only victim who loses out financially is the second victim. And sometimes there is a hacked Paypal account by the attacker used to make and then reverse the charge-if the attacker doesn’t reverse the charge, the rightful owner will; when this is used instead of a fraudulent card, this is the third victim.
There are some further technical details behind the hack, including the way in which safety checks are bypassed on Facebook and PayPal accounts. In either case, the use of proper multi-factor authentication (MFA) to provide a one-time passcode backup to your username and password will stop an attack in its tracks. Facebook’s MFA setup can be seen in the image below, and there is a similar setting for PayPal. Frankly, you should have this enabled on anything where it is an option.
Beyond that, this is all about common sense. If a friend does message you in this way, call them to make sure it’s really them. Unless you’re 100% certain, do not proceed. And make sure you contact them over a different messaging platform from the one they contacted you over. Better still, call the friend on the phone.
From PayPal’s perspective, the chargeback mechanism is down to the credit card company’s policies and procedures where a transaction is disputed and reversed; as such, they don’t accept that it is being abused. The payments giant also questions the assumption that chargebacks are accepted by default.
PayPal told CyberNews “we never lose sight of the fact that we are entrusted to look after people’s money. We take this responsibility very seriously and use advanced fraud and risk management tools to keep our customers and their payments safe. We go to great lengths to protect our customers,” the payment giant said, “but there are still some basic precautions we should take to avoid scams.”
PayPal warns customers “to be wary if they receive unusual requests about their PayPal account, especially requests to move large amounts of money, even when the request appears to come from someone they know. Always question uninvited approaches in case it’s a scam, and check directly with the person concerned to verify the request. And never accept or move money on behalf of someone else.”