Hackers have been exploiting a security bug in PayPal's Google Pay integration to do unauthorised transactions and buy products online.
The issue has affected a large number of PayPal users, who reported it on various platforms, including PayPal's forums, Twitter, and Reddit.
The victims claim that their Google Pay accounts were abused by hackers to perform online purchases using their PayPal accounts. They were only made aware of the fraud after seeing unexpected transactions in their PayPal history. All those transactions originated from their Google Pay accounts.
The majority of unauthorised transactions were carried out at US retailers, with some purchases weighing in at more than €1,000.
Moreover, most of the marks were based in Germany.
"Although the way this attack was carried out is not yet entirely clear, it is extremely important to add two-factor authentication to your PayPal account if you have not already," said Jake Moore, a cyber security specialist at ESET.
"Attackers are able to rifle through accounts when they hack in, especially when users have a password linked to PayPal that they may use somewhere else. It is also worth double checking which third party accounts are linked, as this may be another entry point for cyber criminals," he added.
Meanwhile, German security researcher Markus Fenske suggested on Twitter that the security issue appears to be similar to a bug that was reported to PayPal in February 2019. However, the company appears to have ignored the vulnerability.
Reported a critical issue to PayPal ONE YEAR AGO.— iblue (@iblueconnection) February 24, 2020
"Not an issue. Please self-close". Lots of discussion. Finally got a bounty. Asked several times if its fixed. No response. Gave up.
Found that it's actively exploited by now. Sorry PP, you suck.https://t.co/48IVszRqlb
Fenske said that the bug was discovered by him and fellow security researcher Andreas Mayer.
Fenske believes hackers likely discovered a way to get details of the virtual cards that PayPal generates when a Google Pay account is linked to a PayPal account. PayPal assigns each card with a card number, expiration date, and CVC.
Hackers likely used card details of multiple users to carry out illegal transactions,
According to Fenske, a hacker could get a virtual card's details by either guessing it, through malware, or by reading the details from a user's phone/screen.
PayPal said today that an 'exploitation point' that had enabled hackers to execute unauthorised transactions from PayPal had now been fixed.
This is, however, not the first instance of security issues being reported in PayPal platform.
In 2018, ESET researchers uncovered a new Android Trojan that targeted the official PayPal app and was capable of bypassing PayPal's two-factor authentication.
Last week, CyberNews reported that its researchers were punished by PayPal after discovering and reporting six vulnerabilities in PayPal platform. According to CyberNews, the vulnerabilities discovered ranged from dangerous exploits for bypassing two-factor authentication to sending malicious code through PayPal's SmartChat system.
UK plays host to 149 unpatched Pulse Secure VPN servers vulnerable to flaw favoured by Iranian state-backed hackers
Facebook had blocked the account last year after suing NSO Group in a US court
New charges against Huawei and four of its subsidiaries come as US authorities consider ratcheting up export controls on the Chinese networking hardware giant
Emotet sextortion campaigns are netting much more money than similar Necurs campaigns, researchers find
Emotet operators are targeting victims through their work email rather than webmail accounts
All accused currently live in China, and none of them is in custody