WWW- According to Internet-monitoring company Netcraft, a security flaw on PayPal’s site allowed hackers to steal credit card information from PayPal users.
The vulnerability, first publicly announced on Friday, involved what is known as a cross-scripting attack. Those targeted by the attack received an e-mail, purporting to be from PayPal, that directed them to a special URL on the PayPal servers.
At that page, they encountered an official-sounding notice. “Your account is currently disabled,” it reportedly read, “because we think it has been accessed by a third party. You will now be redirected to the Resolution Center.”
Users were then taken to a non-PayPal server in South Korea, with a fake log-in page designed to capture private information — including credit card and Social Security numbers. Users were requested at that site to remove any limits on funds being removed from their accounts.
PayPal said that it has fixed the flaw and has gotten the Korean server shut down. PayPal also said that it was not clear how many people — if any at all — had been duped.
“It’s pretty awful, actually,” said Gartner analyst Avivah Litan. “There’s not much consumers can do except monitor their account and watch for visual cues, or download something like the eBay toolbar which warns you about [phishing] sites.”
Litan noted that new Web browsers, when they are released, might be able to offer some protection against scams like this. “The next versions of the Internet Explorer and Mozilla browsers have site ID built in,” she said. “If a site is on a black list, the browser is bordered in red. If it’s on a white list, the border is green, and if it’s on neither, the border is yellow.”
PayPal, a popular service for making and receiving online financial transactions, was purchased in 2002 by auction site eBay for a reported $1.5 billion.
It has been a frequent target for phishing scams designed to lure victims with authentic-looking e-mails, often directing users to fake pages where they are enticed to enter their confidential information.
PayPal does warn its users to enter their user names and passwords only on PayPal pages that begin with the following URL: https://www.paypal.com/. It also says that its users should never log in to PayPal from a link in an e-mail.