Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    PayPal Fills Phishing Hole

    By
    Matt Hines
    -
    June 19, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Online payment company PayPal reported that it has fixed a Web site glitch through which the operators of a phishing scheme had been attempting to steal personal data of the companys customers.

      According to officials for the eBay subsidiary, PayPal updated coding on its Web site to block a vulnerability that phishers based in South Korea had been exploiting in an effort to rip off its members.

      The sophisticated threat attempted to lure unsuspecting users to a URL hosted on PayPals legitimate Web site that had been altered by cyber-criminals using a so-called cross-site scripting attack.

      Using such attacks, criminals seek out vulnerabilities in legitimate Web pages and add their own code in order to append their own content to the sites or redirect users to other fraudulent sites.

      The schemes can also steal information stored as so-called Web browser cookies, which often contain user names, passwords and other sensitive data.

      Upon visiting the PayPal page in question, users were presented with a message secretly injected onto the site telling them that their accounts had been locked due to unauthorized access and asking them to wait while they were redirected to an account “resolution center.”

      After a short delay, users were redirected to an external server that presented them with an entirely fake PayPal URL and member log-in interface.

      Those who logged into the fake site effectively passed their account information onto the fraudsters, who also presented any visitors with a second totally illegitimate page asking individuals to relax the user control settings of their PayPal accounts and share even more personal information, including their social security numbers, credit card numbers and ATM pin numbers.

      PayPal representatives said that in addition to blocking the vulnerability, the company is working with the Korean Internet service provider hosting the criminal site, and reported that the firm is cooperating with its investigation.

      The eBay company said it was impossible to estimate just how many people had visited the altered Web page, but indicated that the firm has not received a large number of inquiries from concerned members.

      The payment company is encouraging any customers concerned that they may have accessed the fraud sites to change their PayPal log-in passwords.

      For any customers whose information is stolen and misused, PayPal said it is also offering to reimburse the full amount of any related losses.

      The company said it has added the phishing URL to its security toolbar, preventing users of the browser-borne application from accessing the site altogether.

      /zimages/1/28571.gifClick here to read about Symantecs efforts to curb phishing.

      According to researchers at security specialist Netcraft, the altered Web site used SSL (secure sockets layer) encryption to cloak information being transmitted to and from the site, and the page even featured a validation certificate meant to confirm its authenticity as a legitimate PayPal site.

      While some researchers have heralded a slowdown in the sheer volume of phishing attacks being launched against users, many experts believe that, like computer viruses, the attacks are merely becoming more focused on specific sets of victims, such as PayPal customers.

      The attacks are also becoming increasingly sophisticated, with more schemes involving cross-site scripting and other more technologically advanced techniques.

      It appears that criminals are also making a healthy living off of their efforts.

      Japanese law enforcement officials recently arrested a group of eight individuals allegedly responsible for using fake Yahoo Auctions schemes to rip off as many as 700 different people to the tune of roughly $900,000.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Matt Hines

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×