Fraudsters are exploiting a bug in the PayPal online payments website to steal users credit card and personal details, security experts have warned.
Internet services firm Netcraft warned that the phishing scam worked by luring users to a web page hosted on the official PayPal website. The URL uses encryption and presents a security certificate confirming that the site belongs to PayPal. But the page content has been modified by fraudsters, Netcraft said.
Victims read a message “injected” onto the PayPal site, saying, “Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center.”
The user is then redirected to a fake PayPal log-in page hosted on an external server, based in Korea.
Logging into the fake site transmits the victim’s PayPal username and password to the
fraudsters. A further webpage then requests details including social security number, credit card
number, expiration date, card verification number and cash card Pin.
PayPal has been repeatedly targeted by phishers trying to steal account holders’ log-in and financial details, and parent company eBay has made a series of requests to internet service providers to shut down servers hosting PayPal scams.