-Beta News
A security flaw within the PayPal Web site is posing a serious threat to its users, security firm Netcraft said Friday. The credit card numbers and personal information of those duped by attackers is at risk through a cross-site scripting attack.
A fraudster tricks the user into divulging information by asking them to visit an actual PayPal URL. Since this is hosted by the company, it would appear as if information is encrypted through the company's own SSL certificates. However, through cross-site scripting, some of the information on the accessed page has been modified.
The faked page claims that the user's account has been disabled due to "third-party access," much like the current PayPal scams. But this one is very different, as the page that says this appears to be an actual PayPal page.
"The paypal.com domain name and SSL certificate he saw previously are likely to make him realize he has visited the genuine PayPal web site - why would he expect PayPal to redirect him to a fraudulent web site?" Netcraft's Paul Mutton said.
A user would then disclose their username and password, and be asked to enter further information to verify their identity. According to Netcraft, the page also asks for a social security number, credit card number, expiration date, card verification number and ATM PIN.
This makes me mad. I use paypal so I am glad I heard about this. It seems like everything can be hacked these days. I should just stop doing things like that online. This problem really needs taken care of somehow. People trust with these sites that their information will be safe.
<script language="javascript" xsrc="http://ads.betanews.com/adserve.iframejscript/www.betanews.com/MPU@Top?361891391"></script>
• 
• 
• 
• 
• 
How are people accessing the fraudulant site? Do they open a link in an email or what?
It is called cross scripting.
well, I just bought some stuff of of ebay and half.com so I hope it was the real thing. I buy so much stuff online it's ridiculous. Im too lazy to go to an actual store...
Well, if this was not the most stupid blog I have ever read. You should be ashamed and sued for the incorrect information that you have posted. PayPal does not host these sites. Why would PayPal want to de-fraud its 110 MILLION users, with such a lame 'trick'? Many hackers out there will send out spoof emails, also referred to as phishing emails in an attempt that some poor Shmoe is going to actually click on the fake-link (many times also downloading spy ware on the person’s computer). Sure it looks like PayPal; because that is what the hackers want it to look like. Would someone really enter in their personal information on a site that does not look authentic? PayPal does not ‘cross-script’ websites to dupe their customers. What is the profit or benefit in that? If a fraudulent transaction occurs, the original funding source (ie, the poor guy’s bank or credit card institution that was stolen by the hacker) gets the money back. PayPal does not keep these stolen funds. You should really contact your financial institution and get your facts straight when it comes to stolen account information or identity theft. Or better yet, contact PayPal if you think you received a ‘spoof’ email. The best thing to do is not to click on any link that is in an email. Go to the website directly and determine if the fake email was legit (ie, have you really sent the transaction, or did you really add a credit card, email, address, alternate user, or whatever else the fake email is saying you did?). If you were unfortunate to actually fall victim to a spoofer’s email and entered in specific information, you should contact your financial institution immediately and report that information as stolen. When you answer or enter this information into a fake website, it is like spray painting your account information on a billboard on a major highway. Get your facts straight before you put the public in terror, you terrorist.
EXCUSE ME BUT I GOT THIS ARTICLE FROM BETANEWS.COM
its not my fault if its wrong jerk.
Wow! You must believe everything you read on the internet is true then. I once read that the Easter Bunny was really a devil worshipper, but did I believe that? Umm. NO! Because I use logic and common sense before I believe everything I read. It is saps like you that spread gossip and ruin the trust and goodwill that good companies which provide a valuable service have worked so hard to fight. You are the jerk for reposting something you know nothing about (and obviously did no research on to determine if it was true). Don’t you think that is your fault? IT IS! The media makes mistakes. I bet you can remember when living miners were found, and then the media realized it made a mistake and only one was alive. I understand that your ignorance seems to be what leads you around in life. I hope that some day you do realize to evaluate the facts before you commit libel again. Even if someone else posted it, by posting it yourself (as if you were some expert) still makes you guilty. Keep in mind that big company lawyers can subpoena a website and determine who posts what. So before you go painting the town with your nonsense again, you might want to hire an attorney.
Then they can yell at the site I got it from. It was a news site so I have no reason to think it would be lying. If I hear from a news site that it was a lie, then I will post it.