Vulnerabilities PayPal accounts, fraud refund transactions, hacking account
I want to tell you about the real case of Paypal account fraud.
The case occurred with one of my friends, who as a result lost several hundred euros. Repeated appeals to the support service, PayPal’s conflict commission resulted in nothing, the money was not returned and this vulnerability persists.
The situation was as follows: My friend, Vladimir, transferred 560 euros as a prepayment for rental housing to a certain Dmitry (with whom he had previously collaborated).
A few days later the reservation was canceled and Dmitry transferred this amount back to Vladimir.
')
It should be noted that Dmitry returned the money to Vladimir by simple transfer, i.e. without linking this action to the original transaction. I must say that PayPal has such an operation as “refund”, in Russian a refund. According to the original plan, the refund was most likely invented for online stores delivering goods by mail for a refund to the buyer if the goods are not delivered within a month. This operation must occur with the permission (with confirmation) of the seller, i.e. the person who received the money upon request from the buyer (sender).
So here. After nearly a month, Vladimir received a letter with the following content:
Email subject: “Hacking your Paypal account”
Text (slightly modified):
Good day, my name is Maxim. I got access to your PayPal account - info@*******.ru which currently contains an amount of 5896 EUR. As evidence, a payment with ID ******** 94J ******** mail .ru in the amount of 560 EUR was returned. Changing the password does not help. I could withdraw all your money, but I will not do this, I can offer you a deal, for half the amount on this account, I will tell you how to prevent this.
At the same time, a refund transaction related to the return operation of Dmitry 560 EUR appeared in the list of transactions. Accordingly, Vladimir’s account has decreased by this amount. Vladimir, of course, did not confirm this operation and did not receive any email notification, which always happens for any transaction during normal operations with the account.
Vladimir immediately contacted PayPal support, where in this case there is a topic "Report the fact of fraud or prohibited use," he also wrote to Dmitry.
Dmitry did not receive this money to his account. PayPal has included a standard in such cases, the procedure for blocking the account and re-check the ios. I’ll say right away that the trial did not lead to anything, the money was not returned, but it was not lost any more.
PayPal apparently, in such cases, does nothing at all and does not check anything, although there is an obvious hole in the system on the face: an unauthorized transaction.
I was invited to assess this situation, because at one time was engaged in the integration of payment systems for the site of Vladimir.
Judging by the letter of the hacker who transferred the money, he did not receive real access to Vladimir’s account, otherwise he would have just silently removed all the money. Nevertheless, somehow he was able to find out Vladimir’s account balance and conduct a refund of Dmitry’s transactions. Since Vladimir did not confirm the transaction and did not receive any notifications, the operation was carried out using some kind of vulnerability of the refund transaction, on the last day of the monthly period after the initial operation. Most likely, the hacker received some information about Dmitry's operations and was able to use them with the help of the existing vulnerability. Since Dmitry didn’t receive any money either, they left for an unknown account or stayed frozen somewhere in the depths of the system.
I wrote a detailed letter in English for PayPal support service, in which I explained the situation in detail and attached a letter to the hacker and his translation (at their request). Obviously, security experts could track the fraudulent transaction, where the money went, etc. But that would be a recognition of the lack of their system.
The answer was brief: we did not find sufficient evidence of fraud.
The conclusion for all users of PayPal from this story: if possible, monitor the status of all payments received, try to immediately withdraw them from the system or transfer to buffer accounts. In case of controversial situations, do not rely on the help of the administration of the system, it is easier for them not to do anything at all (an example of an e-bay account leakage) and generally it is better to stay away from it (PayPal-a).
I will add screenshots of letters:
The case occurred with one of my friends, who as a result lost several hundred euros. Repeated appeals to the support service, PayPal’s conflict commission resulted in nothing, the money was not returned and this vulnerability persists.
The situation was as follows: My friend, Vladimir, transferred 560 euros as a prepayment for rental housing to a certain Dmitry (with whom he had previously collaborated).
A few days later the reservation was canceled and Dmitry transferred this amount back to Vladimir.
')
It should be noted that Dmitry returned the money to Vladimir by simple transfer, i.e. without linking this action to the original transaction. I must say that PayPal has such an operation as “refund”, in Russian a refund. According to the original plan, the refund was most likely invented for online stores delivering goods by mail for a refund to the buyer if the goods are not delivered within a month. This operation must occur with the permission (with confirmation) of the seller, i.e. the person who received the money upon request from the buyer (sender).
So here. After nearly a month, Vladimir received a letter with the following content:
Email subject: “Hacking your Paypal account”
Text (slightly modified):
Good day, my name is Maxim. I got access to your PayPal account - info@*******.ru which currently contains an amount of 5896 EUR. As evidence, a payment with ID ******** 94J ******** mail .ru in the amount of 560 EUR was returned. Changing the password does not help. I could withdraw all your money, but I will not do this, I can offer you a deal, for half the amount on this account, I will tell you how to prevent this.
At the same time, a refund transaction related to the return operation of Dmitry 560 EUR appeared in the list of transactions. Accordingly, Vladimir’s account has decreased by this amount. Vladimir, of course, did not confirm this operation and did not receive any email notification, which always happens for any transaction during normal operations with the account.
Vladimir immediately contacted PayPal support, where in this case there is a topic "Report the fact of fraud or prohibited use," he also wrote to Dmitry.
Dmitry did not receive this money to his account. PayPal has included a standard in such cases, the procedure for blocking the account and re-check the ios. I’ll say right away that the trial did not lead to anything, the money was not returned, but it was not lost any more.
PayPal apparently, in such cases, does nothing at all and does not check anything, although there is an obvious hole in the system on the face: an unauthorized transaction.
I was invited to assess this situation, because at one time was engaged in the integration of payment systems for the site of Vladimir.
Judging by the letter of the hacker who transferred the money, he did not receive real access to Vladimir’s account, otherwise he would have just silently removed all the money. Nevertheless, somehow he was able to find out Vladimir’s account balance and conduct a refund of Dmitry’s transactions. Since Vladimir did not confirm the transaction and did not receive any notifications, the operation was carried out using some kind of vulnerability of the refund transaction, on the last day of the monthly period after the initial operation. Most likely, the hacker received some information about Dmitry's operations and was able to use them with the help of the existing vulnerability. Since Dmitry didn’t receive any money either, they left for an unknown account or stayed frozen somewhere in the depths of the system.
I wrote a detailed letter in English for PayPal support service, in which I explained the situation in detail and attached a letter to the hacker and his translation (at their request). Obviously, security experts could track the fraudulent transaction, where the money went, etc. But that would be a recognition of the lack of their system.
The answer was brief: we did not find sufficient evidence of fraud.
The conclusion for all users of PayPal from this story: if possible, monitor the status of all payments received, try to immediately withdraw them from the system or transfer to buffer accounts. In case of controversial situations, do not rely on the help of the administration of the system, it is easier for them not to do anything at all (an example of an e-bay account leakage) and generally it is better to stay away from it (PayPal-a).
I will add screenshots of letters:
Source: https://habr.com/ru/post/246695/
All Articles