Flaw For PayPal Website, Opportunity For Fraudsters
PayPal Website has been found with a cross-site scripting flaw that enables a phishing attack to appear as a genuine PayPal login page with a legitimate security certificate, informs security researchers.
According to people in an Internet service company 'Netcraft', at Bath, England, fraudsters regularly exploit the security loophole in the PayPal website to commit theft of credit card numbers and other private information of the PayPal visitors. EBay is the owner of PayPal site whose users pay to each other online and when that is charged to their credit cards, the login certifications for the site's service of these customers becomes a precious target for fraudsters.
The scam deceives users into visiting a URL carried on the PayPal website. The URL has two things - SSL to embed information to be transferred both ways of the site, and an authentic 256-bit SSL certificate to make sure that the URL indeed belongs to PayPal. However, to be doubly sure, the fraudsters have modified some content of the page using 'cross-site scripting' technique (XSS).
The 'fake' page says that the user's account has been disabled because some other party had accessed it. This fraud is quite like the current PayPal scams. But it is different in that the 'fake' page happens to be an actual PayPal page. After reading the page, the user is guided to an external server where he/ she can be caught off guard while the person keeps entering personal information.
As the victims log in through the fake login page, their usernames and passwords are transmitted to the miscreants. Then they are shown a different page asking them to enter more details to remove limits on account accession.
The phishing attempt is hard to detect because of the presence of the XSS technique, says Mike Prettejohn of Netcraft. Had the malicious link arrived by e-mail, there could be clues that it is not genuine. But fraudsters have chosen this technique because they know it is difficult to spot.
PayPal is working with the ISP that hosts the malicious site to close it. It is not yet known how many people have become victims of the scam.
Related article: File-Sharing Users Could Reconsider the Software
» SPAMfighter News - 03-10-2006