Facebook & PayPal loopholes let anybody hack your PayPal account. Find out how

Every week there are multiple reports of security threats that could affect social media users, mainly Facebook. This time, information security awareness experts from CyberNews revealed an active scam that abuses some security flaws on PayPal and Facebook.

Exploiting these flaws, threat actors are stealing an average of $1.5 million a month. To do this, they just need to convince Facebook users to send to hacker-controlled addresses.  

According to information security awareness experts, the attack can be divided into four different stages:

  • A hacker logs into a Facebook or Messenger account and starts sending messages to the real account owner’s friends to ask for help with a problem in their PayPal account, or to offer the sale of a product. Hackers use phishing to get the user’s login credentials
  • The cybercriminal asks the victim’s friends if they could receive money in their PayPal accounts and forward the same amount to the bank account operated by the hackers
  • When the friend receives the money in their PayPal account, they send it by bank transfer to the hacker’s account
  • Threat actors use the PayPal chargeback feature, which reverts the money sent to the friend in the first place, and the friend loses that money

The attacks appear to originate in various parts of the US, Russia and the United Kingdom, and the main targets are British Facebook users.

Information security awareness experts contacted some informants in the malicious hacking community, who revealed that the cybercriminals behind this campaign employ some simple security gaps present on PayPal, Facebook and even in some banks.

Recently, CyberNews also revealed the finding of six critical vulnerabilities in the PayPal payment system that could be exploited by malicious hackers to easily access users’ accounts; So far, PayPal has not yet corrected all reported bugs.

In this regard, a representative of the payment system mentioned: “Security risks are a very serious matter for us; we employ advanced risk and fraud management tools to protect our customers and their payments”.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the Website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.