The media noticed that at the end of last week, users from all over the world began massively complain about unauthorized payments made through their PayPal accounts. Information security researchers believe that PayPal accounts are being attacked through integration with Google Pay.
Messages about such problems can be found on the official PayPal, Reddit, Twitter forums, as well as on Google Pay support pages in German and Ukrainian.Money were illegally withdrawn from my bank account, I didn’t pay anything. Return the money! He wrote in support of the bank, they said to request money back”, – for example, a user with the nickname PARANORMAN writes who lost money on purchases in a Ukrainian store.
The incidents described by the victims are very similar: attackers use Google Pay to buy various goods, and use PayPal linked accounts for payment. Judging by the screenshots and various evidence, most of these illegal transactions are still carried out through American stores (most often Target networks).
Majority of the victims of these attacks Germans. According to the open sources, can be assumed that damaged is already estimated at tens of thousands of euros: hackers usually start with test payments from 0.01 to 4 euros, and then take it seriously, when eventually some transactions exceed 1000 euros.
At the same time, it is still unclear what kind of problem are exploiting the attackers.
German security expert Markus Fenske suggests on Twitter that hackers are using a bug that PayPal warned about a year ago, researcher Andreas Mayer. The fact is that when a PayPal account is associated with a Google Pay account, PayPal creates a virtual card for this with its own number, expiration date and CVC code. When a Google Pay user makes a contactless payment using a PayPal account, funds are withdrawn from this virtual card.
Fenske explains that such cards are not limited solely to PoS transactions and can be used to pay online. Apparently, the attackers found a way to obtain data from these virtual cards, and now use them for unauthorized transactions.
According to the expert, regul brute force and brute force would probably be enough for this. But there are other options:
PayPal allows contactless payments through Google Pay. If you have configured it, you can read the virtual credit card information from your phone if the mobile device is turned on. No authentication. That is, anyone near your phone has a virtual credit card that withdraws money from your PayPal account. And there are no restrictions on the amount or eligibility of payments”, – says Fenske.
Representatives of PayPal have not yet made official comments and only assure that an investigation is already underway. I think it’s worth recalling that according to a study by Check Point, PayPal is among the top five brands most often used in phishing.
In turn, the affected users from the Facebook group dedicated to attacks report that PayPal has already begun to indemnify some of them and cancel fraudulent payments.