PayPal sinks CSS phishing scam

PayPal has fixed a vulnerability which allowed cyber-criminals to use the company's official website as a platform to steal user information.

The cross-site scripting vulnerability on paypal.com came to light last week. Internet monitoring firm NetCraft noted that the security flaw could be exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users.

NetCraft said that the scam tricks users into accessing a URL hosted on the genuine PayPal website. The scammers even supplied SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate.

However, the scammers managed to inject a message into the genuine PayPal site which reads: 'Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.'

The victim is then taken to an external server, hosted in Korea, which presents a fake PayPal member log-in page.

Users are prompted to enter social security numbers, credit card details and even Pin codes for bank cards.

PayPal has now fixed the code on its site to address this flaw.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!