media drew attentionthat at the end of last week, users from all over the world began to massively complain about unauthorized payments made through their PayPal accounts. Messages about such problems can be found on the official PayPal forums (1, 2, 3, 4, 5, 6, 7), Reddit (1, 2), Twitter (1, 2), as well as on Google Pay support pages in Russian and German (1, 2, 3, 4, 5, 6, 7, 8, 9, 10)
The incidents described by the victims are very similar: attackers use Google Pay to buy various goods, and use PayPal linked accounts for payment. Judging by the screenshots and various evidence, most of these illegal transactions are carried out through American stores (most often Target Networks)
Most of the victims of these attacks are in Germany. If you rely on open sources, we can assume that the damage done to users is already estimated at tens of thousands of euros: hackers usually start with test payments in the amount of from 0.01 to 4 euros, and then take it seriously, and eventually some transactions exceed 1000 euros.
At the same time, what kind of problem is being exploited by attackers until it remains unclear.
German security expert Markus Fenske suggests Twitterthat hackers are using a bug that PayPal warned about a year ago, researcher Andreas Mayer. The fact is that when a PayPal account is associated with a Google Pay account, PayPal creates a virtual card for this with its own number, expiration date and CVC code. When a Google Pay user makes a contactless payment using a PayPal account, funds are withdrawn from this virtual card.
Reported a critical issue to PayPal ONE YEAR AGO.
"Not an issue. Please self-close." Lots of discussion. Finally got a bounty. Asked several times if its fixed. No response. Gave up.
Found that it's actively exploited by now. Sorry PP, you suck.https://t.co/48IVszRqlb
– iblue (@iblueconnection) February 24, 2020
Fenske explains that such cards are not limited solely to PoS transactions and can be used to pay online. Apparently, the attackers found a way to obtain data from these virtual cards, and now use them for unauthorized transactions. According to the expert, usual brute force and brute force would probably be enough for this. But there are other options:
“PayPal allows contactless payments through Google Pay. If you have configured them, you can read the virtual credit card information from your phone, if the mobile device is turned on. No authentication. That is, any person near your phone has a virtual credit card that withdraws money from your PayPal account. And there are no restrictions on the amount or eligibility of payments, ”says Fenske.
Representatives of PayPal have not yet made official comments and only assure that an investigation is already underway.
In turn, affected users from Facebook groups, dedicated to attacks, it is reported that PayPal has already begun to indemnify some of them and cancel fraudulent payments.