PayPal accounts abused en-masse for unauthorized payments

All signs point to an attack exploiting PayPal's Google Pay integration.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

On February 25, 07:30am ET, PayPal told ZDNet that they have addressed the issue being exploited over the weekend. Original article below.

Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts.

Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account.

Issues have been reported on numerous platforms, such as PayPal's forums [1, 2, 3, 4, 5, 6, 7], Reddit [1, 2], Twitter, [1, 2], and Google Pay's Russian and German support forums [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York.

Most of the victims appear to be German users.

Estimated damages are in the range of tens of thousands of euros, based on public reports, and some of the unauthorized transactions go well over the €1,000 mark.

What bug hackers are exploiting is not yet clear. PayPal told ZDNet they are investigating the issue. A Google spokesperson did not return a request for comment before this article's publication.

A German security researcher has a theory

Today, on Twitter, a German security researcher named Markus Fenske said the illegal transactions that have been reported over the weekend appear to be similar to a bug he and fellow security researcher Andreas Mayer reported to PayPal in February 2019, but which PayPal did not prioritize to fix.

Fenske told ZDNet that the bug he found stems from the fact that when you link a PayPal account to a Google Pay account, PayPal creates a virtual card, complete with its own card number, expiration date, and CVC.

When a Google Pay user choose to make a contactless payment using funds from his PayPal account, the transaction is charged via this virtual card.

"If the virtual card was locked to POS transactions only, there would be no issue, but PayPal allows this virtual card to be used for online transactions," Fenske told ZDNet today in an interview.

Fenske now believes hackers found a way to discover the details of these "virtual cards" and are using the card details for unauthorized transactions at US stores.

The researcher said there could be three ways in which an attacker could get a virtual card's details. First, by reading the card details from a user's phone/screen. Second, programmatically, by using malware that infected a user's device. Third, by guessing it.

"It could be possible that the attacker just brute-forced the card number and the validity date, which is in a span of about a year or so," Fenske said. " That makes a rather small search space."

"The CVC does not matter," he added. "Any is accepted."

PayPal is investigating

However, Fenske was the first one to admit to ZDNet that he and Mayer are just guessing about the real cause of the attack -- even if the details perfectly fit with the bug they reported last year.

On the other hand, PayPal's security team began an investigation into the unauthorized transactions as soon as ZDNet reached out a few hours ago.

The PayPal staff is looking at different issues -- including the attack scenario described by Fenske today, and his February 2019 bug report.

"The security of customer accounts is a top priority for the company," a PayPal spokesperson told ZDNet. "We are reviewing and assessing this information and will take any appropriate actions that are deemed necessary to further protect our customers. "

h/t: Günter Born