This site does not support carding, hacking or any Fraudulent activities. This article is for educational purposes only. It aims to educate people on safeguarding their PayPal accounts. Although the fraudulent steps discussed may work in real life, Security Cavern warns you against any fraudulent behavior as it is against the law.
Since the invention of internet based payment systems, thieves have increasingly migrated from street crimes to cyber crimes. It is no longer uncommon to hear that someone hacked a banking system and walked away with millions of dollars or confidential financial and identification information. Hacking financial institutions requires sophisticated skills because of the ever evolving security measures. As with street theft where there are big gangs and petty thieves like pickpockets, cyber theft has both sophisticated hackers and petty thieves who rely on spamming and information from sophisticated hackers to survive. PayPal fraud is done by both sophisticated and petty cyber criminals. This blog aims to educate readers on PayPal fraud and Fraud Prevention techniques.
How PayPal Accounts are obtained
Different cyber criminals use diverse ways to obtain PayPal accounts to steal from. Since PayPal is a very secure platform, it is hard to hack their database and steal user details, therefore, cyber criminals target individual PayPal users rather than the company. Some of the ways fraudsters obtaining PayPal accounts include:
- Spamming user emails.
- Fake look-alike sites.
- Software and Hardware Key Loggers.
- Buying Hacked PayPal Accounts.
Spamming User Email Addresses
Fraudsters use spam emails as baits to lure unsuspecting users into innocently submitting their account details. For example, a fraudster might pose as a PayPal agent and send email requesting the targeted user to verify his or her account. I received this email from a spammer impersonating PayPal.
Dear Valued Customer,
We’re concerned that someone is using your account without your knowledge. Recent activity on your account seems to have occurred from a suspicious location or under circumstances that may be different than usual. We have temporarily disabled your account to protect you from the fraudulent activity. Please click here to confirm your account and remove the temporary hold we have placed.
Please do not reply to this email because we are not monitoring this inbox. To get in touch with us, log in to your account and click “Contact Us” at the bottom of any page.
Copyright © 2017 PayPal. All rights reserved.
If at any point you click the link provided in the spam email, you are redirected to a PayPal look-alike site.
Fake look-alike sites
The PayPal look-alike sites are also baits that capture PayPal login details from a user for the hacker. Whenever you click a spam email link it redirects you the look alike site. The spam email I received redirected to this page but note the URL is http://signin-paypal.com while the real PayPal page login page is https://www.paypal.com/us/signin?country.x=US&locale.x=en_US . Many users will input their login details in such fake sites not knowing they are giving access to fraudsters. Note that PayPal strives hard to shut look-alike fraudulent sites, if you encounter such sites, report to email@example.com.
Software and Hardware Key Loggers
Key logger is a hardware device or a computer program that can capture user a keyboard’s keystroke. Software based key loggers save the pages entered and everything typed by the user. The hardware key logger is connected between the keyboard and the computer’s USB port. Hardware key loggers are hard to detect unlike software key loggers which are often flagged by antivirus and firewall applications in the computer. When you login to PayPal, from a device with key logger, the login information is saved for the hacker or owner of the key logging application or device. They can cost as low as $30 in eBay.
Buying Hacked PayPal Accounts
Some fraudsters use the methods discussed above to get PayPal accounts. Most find it easy to obtain accounts and sell them because cashing out is hard and risky. They sell them in dark net sites. For as low as $5 to $20 for a hacked PayPal account with $100 PayPal balance.
How to Login and Withdraw from a Hacked PayPal
PayPal is very sensitive to changing IP addresses and in most cases when a user logs in from a different location, they are asked to verify their identity. Since identity verification requires the PayPal account’s phone number, hackers try as much as possible not to trigger PayPal’s fraud detection system. The first thing hackers do is hide or spoof the IP address to the same location as the PayPal account owner.
It is almost impossible to login to PayPal from a new IP without triggering their fraud detection system therefor, hackers use the following procedures to successfully login for the first time and subsequently to build cookies and trust:
- First, they clear all cookies and browser history or use a new virtual machine with a clean browser.
- Then they spoof the IP to the nearest location possible.
- To avoid having the account getting flagged, they open a page that redirects to PayPal after login for example https://service.getcontrol.co/oauth/connect/paypal. Note such pages are offered by PayPal and/or its partner sites and may be country specific.
- They enter the login credentials and once logged in, they edit the URL bar without clicking anything on the page. For example, they change https://service.getcontrol.co/oauth/connect/paypal to https://www.paypal.com. PayPal site loads with the account already logged into.
- They will repeat the process for a few days, each time spending sometime in the account. With time cookies build up and after a week, the account lets out the available balance when transferred .
PayPal can charge back the balance as soon as the real account owner reports or fraud detection system is triggered, so hackers tend to convert them to bitcoins as soon as possible because the bitcoin network has no charge-backs.
What could go wrong?
This section will form a basis I use to show users what to do to protect their PayPal accounts. Cyber thieves know that transacting right away is a bad habit and a red flag for hacked accounts. They are patient because, PayPal gets used to the new IP and build up cookies with time. However, sometimes it is impossible to login in to a hacked PayPal from the word go because of the following reasons:
- The account is protected with a two factor authentication (2FA).
- The IP used has been blacklisted or is not a residential IP.
- Cookies in the browser were not cleared and are reflecting a different location.
There are ways to bypass 2FA but since I am writing to educate people against Fraud, it is not worth mentioning them.
Protecting Your PayPal Account
Similar to medicine, prevention is better than cure. It is better and easier to prevent hackers from your account than trying to recover lost funds. Here are some ways to protect your PayPal account.
Enable two factor authentication (2FA)
2FA is an option that requires a user to enter a verification code sent to his/her phone before logging in, editing account information or transacting. To enable 2FA, use the following steps:
- Login to your PayPal account (be sure to ascertain that the login page has the link https://www.paypal.com).
- Once logged in, click the settings icon.
- Then choose the Security Tab and select update in the security key.
- If it is your first time to setup the key, you will get this page where you should click “Get security Key”
- You will be redirected to register your mobile number. In most cases the country code will be in the first small box. Enter your mobile number and click register.
- PayPal will redirect you to a page where you will request for a security key in order to activate or verify the newly entered number. Click “Get Security Key”.
- PayPal will now give you an option to either receive a text or receive a call. If you are unable to receive text, you can use “Try another way” otherwise choose your number form the drop down list and click “Send me the Text.”
- You will receive a text message with a 6-digit pin number, ensure the phone is on since the pin will only be active and functional for 5 minutes. Enter the pin and click continue.
- From this point, you will be redirected back to your account. You have successfully enabled 2FA and you will always be required to enter a 6 digit pin to login or transact.
PayPal does not support 2FA in some countries (US, CA, UK, DE, AT and AU), therefore it is important to learn of other additional steps to keep your account secure. Especially if you are not in the 2FA supported countries.
Know how to spot spam emails
To avoid being a victim of spam and phishing emails, you should know how to check if emails like the one above are genuine or not. Here are some ways you will know an email is spam:
PayPal addresses its customers using their respective names, for example, “Dear Firstname Lastname”. The first thing that made me suspect the email was spam was “Dear Valued Customer”.
Targeted spam may use you’re a user’s real name hence you should know how to check the sender’s information. If you receive an email that you think is spam, there is a small arrow near the sender’s name (I am using Gmail for my personal PayPal account but am sure other providers have it). After you open the email, click the arrow and you will see all the information associated with the email. Not the sender (from) have the PayPal domain, for example, firstname.lastname@example.org and email@example.com. Below are screenshots of genuine PayPal emails.
Avoiding Fake PayPal look-alike sites
It is very easy to detect fake look alike sites, just check the URL section and ensure it is PayPal’s domain showing (www.paypal.com). If you are redirect from spam email, or you feel the suspicious email might be valid, open a new browser tab and enter the PayPal URL manually before logging in. Do not follow any link from the suspicious email.
Software and Hardware Key Loggers
It is not advisable to logging to PayPal from public places like internet cafes. However if you must, check if there is a bridge between the keyboard’s jack and the port where it is inserted (I posted a picture above of how a key logger looks like). After you finish your transaction, logout and remember to change your PayPal password as soon as you gain access to a secured system like your own PC.
Sometimes key loggers are installed unknowingly from phishing emails and malicious links. It is important to have an antivirus because it detects and blocks spam links. Additionally, install updates when you receive a prompt from your pc that there are updates available.