9 July 2006

PayPal fixes phishing hole

PayPal has fixed a flaw in its Web site to block a sophisticated scam designed to obtain sensitive data from members, CNET reports.

By exploiting the flaw, attackers were able to redirect people from a PayPal Web page to an online trap located in South Korea. The page actually has a real PayPal URL, but hosts malicious code that presents a message warning members that their account had been compromised. It then redirects them to a phishing Web site.

At the malicious, information-thieving Web site, people are asked for their PayPal login information. Subsequently, they are urged to enter their Social Security number and credit card details.

"As soon as we became aware of this scheme, we changed some of the code on the PayPal Web site. So this scheme, or any scheme like it, can no longer be effective," a PayPal spokesperson said.

PayPal is working with the Internet service provider that hosts the malicious site to get it shut down. The company has no information on how many people may have fallen victim to the scam.

No comments: