Hackers Exploit PayPal and Facebook to Steal Millions Each Month

Cybersecurity analysts at CyberNews have uncovered an ongoing scam using loopholes in PayPal and Facebook.

Fraudsters are stealing roughly $1.6 million per month by convincing Facebook users to voluntarily send money.

CyberNews talked with hackers inside the blackhat hacking community to discover the steps they take to make this complex scheme work.

In simple terms, it works like this:

1. A hacker logs into someone’s Facebook or Messenger account and starts sending messages to the account holder’s friends. (Usually, they claim that they sold something online but are having problems with their PayPal accounts.)

2. The hacker asks these friends if they’d receive money in their PayPal accounts and send the same amount to the hacker’s bank account.

3. When the friend receives the money in their PayPal, they send the money via bank transfer to the hacker’s account.

4. The hacker uses PayPal’s chargeback feature which reverses the money sent to the friend in the first place, and the friend loses out on that money.

Numbers-wise, it would look like this:

1. Hacker sends the target $400 via PayPal. The target now has a $400 surplus.

2. The target sends $400 via bank transfer to the hacker’s bank account. The target now has zero balance (they didn’t lose or gain any money).

3. The hacker does a chargeback, and the money is removed from the target’s PayPal account.

4. The target has now lost $400.

The blackhat hacking community told CyberNews that they use simple loopholes found in Facebook, PayPal, and the banks themselves.

CyberNews previously uncovered six critical vulnerabilities in PayPal’s payment system, which allow for hackers to easily access those accounts, and PayPal still hasn’t fixed some of them.

The scammers are mainly from the US, UK and Russia, and at the moment mainly targeting UK Facebook users.

The UK is targeted specifically because PayPal is the country’s second most popular payment method and it is relatively easy to create a bank drop (when bank accounts are hijacked to transfer stolen money) there.

When CyberNews contacted PayPal, the company responded: “We never lose sight of the fact that we are entrusted to look after people’s money. We take this responsibility very seriously and use advanced fraud and risk management tools to keep our customers and their payments safe.”

They further warned their customers: “Always question uninvited approaches in case it’s a scam, and check directly with the person concerned to verify the request. And never accept or move money on behalf of someone else.”

“Unfortunately, in light of the loopholes or easily-bypassed security measures from Facebook, PayPal and the banks themselves, everyday people will have to be more vigilant in how they behave online,” said Bernard Meyer, Senior Researcher at CyberNews. 

“Because of that, we recommend users get two-factor authentication (2FA) set up on their PayPal and Facebook’s account, and it’s better to use an authenticator app rather than those websites’ default 2FA.”

“When it comes to your online activities, it really is much better to be safe rather than sorry.”

For further details of the discovery and what the loopholes in Facebook, PayPal and UK banks are, go to https://cybernews.com/security/simple-loopholes-in-facebook-paypal-helping-victims-lose-millions/