Security News

Many companies have no mechanism to deal with a common problem: when users open accounts using someone else's email address, either by accident or design. The problem is not only that email addresses are easily spoofed - mitigated by mechanisms like SPF and DKIM - but that they also lack any robust process by which organisations collect email details.

Just in time for a busy online holiday shopping season, the Magecart gang has come up with a new credit-card skimming technique for hijacking PayPal transactions during checkout. Magecart is an umbrella term encompassing several different threat groups who all use the same attack method: They compromise e-commerce websites to inject card-skimming scripts on checkout pages, stealing unsuspecting customers' payment card details and other information entered into the fields on the page.

A newly discovered credit card skimmer uses an innovative technique to inject highly convincing PayPal iframes and hijack the checkout process on compromised online stores. The skimmer will capture all order form data entered by the victims and will exfiltrate it to the attackers' servers.

Verizon Media tops the list with $9.4 million paid out since it started its program in 2014, with its top bounty coming in at $70,000. That said, PayPal follows as a distant second with Verizon Media in terms of bounty volume.

HackerOne on Monday released a list of the companies that have paid out the most money through their bug bounty programs. According to HackerOne, Verizon has paid out more than $9.4 million since the launch of its program in February 2014, with a top bounty of $70,000 and an average first response time of 8 hours.

An Android mobile malware has been uncovered that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more. EventBot is not currently on the Google Play app marketplace, but researchers said the malware is nonetheless masquerading as legitimate applications.

San Francisco, Calif-based Arkose Labs has raised $22 million in a Series B funding round led by the Microsoft venture fund, M12. Existing investors PayPal and USVP participated, bringing the total raised so far to $36.5 million. Arkose Labs provides a fraud detection and prevention platform.

PayPal came in first of the 25 most impersonated brands in phishing attacks for the fourth quarter of 2019, according to a report released Tuesday by Vade Secure. Though PayPal-impersonated phishing attacks fell by 31% compared with the third quarter, the volume of such attacks rose by 23% from the last quarter of 2018.

A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data - even going so far as to ask for social security numbers and uploaded photos of their passports. Some parts of the phishing email make strange use of exclamation points - For instance, the top of the email says "PayPal Notifications Center !" and the phishing link button reads, "Secure and update my account now !".

Crooks almost certainly can't get hold of a server name that ends with, say, paypal DOT com, but can create any number of subdomains that start with paypal DOT and end with some unrelated domain. The suspicious-looking right-hand end of a full domain name often ends up invisible on a mobile phone because it won't fit in the address bar.