Cross site scripting vulnerability in PayPal results in identity theft
Acunetix WVS protects sensitive personal data and prevents financial losses due to XSS attacks
London, UK – 20 June, 2006 – An unknown number of PayPal users have been tricked into giving away social security numbers, credit card details and other highly sensitive personal information. Hackers deceived their victims by injecting and running malicious code on the genuine PayPal website by using a technique called Cross Site Scripting (XXS).
The hackers contacted target users via email and conned them into accessing a particular URL hosted on the legitimate PayPal website. Via a cross site scripting attack, hackers ran code which presented these users with an officially sounding message stating, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to a Resolution Center." Victims were then redirected to a trap site located in South Korea.
Once in this “phishing website”, unsuspecting victims provided their PayPal login information and subsequently, very sensitive data including their social security number, ATM PIN, and credit card details (number, verification details, and expiry date).
The Acunetix Web Vulnerability Scanner automatically audits web applications and checks whether these applications are secure from exploitable vulnerabilities to such hack attacks as cross site scripting. An automated check of PayPal’s website (using Acunetix WVS) could have prevented this attack and saved the company from denting its reputation and the subsequent loss of customer trust. Although PayPal has now fixed the flaw, the company has not, to date, revealed information on how many people may have fallen victim to the scam and on any financial losses resulting from the attack.
Acunetix provides free audit to help companies determine the security of their websites
Enterprises who would like to have their website security checked can register for a free audit by visiting http://www.acunetix.com/security-audit. Participating enterprises will receive a summary audit report showing whether their website is secure or not. Summary reports will be delivered within five business days of submission.
About Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist.
About Acunetix
Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta), a US office in Seattle, Washington and an office in London, UK. For more information about Acunetix, visit: http://www.acunetix.com.
All product and company names herein may be trademarks of their respective owners.
For more information:
Please visit http://www.acunetix.com.
London, UK – 20 June, 2006 – An unknown number of PayPal users have been tricked into giving away social security numbers, credit card details and other highly sensitive personal information. Hackers deceived their victims by injecting and running malicious code on the genuine PayPal website by using a technique called Cross Site Scripting (XXS).
The hackers contacted target users via email and conned them into accessing a particular URL hosted on the legitimate PayPal website. Via a cross site scripting attack, hackers ran code which presented these users with an officially sounding message stating, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to a Resolution Center." Victims were then redirected to a trap site located in South Korea.
Once in this “phishing website”, unsuspecting victims provided their PayPal login information and subsequently, very sensitive data including their social security number, ATM PIN, and credit card details (number, verification details, and expiry date).
The Acunetix Web Vulnerability Scanner automatically audits web applications and checks whether these applications are secure from exploitable vulnerabilities to such hack attacks as cross site scripting. An automated check of PayPal’s website (using Acunetix WVS) could have prevented this attack and saved the company from denting its reputation and the subsequent loss of customer trust. Although PayPal has now fixed the flaw, the company has not, to date, revealed information on how many people may have fallen victim to the scam and on any financial losses resulting from the attack.
Acunetix provides free audit to help companies determine the security of their websites
Enterprises who would like to have their website security checked can register for a free audit by visiting http://www.acunetix.com/security-audit. Participating enterprises will receive a summary audit report showing whether their website is secure or not. Summary reports will be delivered within five business days of submission.
About Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist.
About Acunetix
Acunetix was founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of development by a team of highly experienced security developers. Acunetix is a privately held company with headquarters based in Europe (Malta), a US office in Seattle, Washington and an office in London, UK. For more information about Acunetix, visit: http://www.acunetix.com.
All product and company names herein may be trademarks of their respective owners.
For more information:
Please visit http://www.acunetix.com.