Tomcat
Professional
- Messages
- 2,695
- Reaction score
- 1,060
- Points
- 113
Cybercriminals have discovered a vulnerability in the integration of PayPal with Google Pay and are actively exploiting it for illegal money transfers. Starting on February 21 of this year, users began to notice unknown transactions in their PayPal payment histories made through Google Pay. User complaints appear on different platforms, including PayPal forums, Reddit, Twitter, as well as German and Russian Google Pay support forums.
According to users, attackers pay for goods through their Google Pay accounts linked to PayPal. Judging by the screenshots they provided, most purchases are made in US stores, in particular at Target in New York. Most of the affected users are from Germany. Some purchases cost more than 1,000 euros.
It is not yet clear what kind of vulnerability cybercriminals are exploiting. PayPal is investigating the situation.
According to German security researcher Markus Fenske, what is happening is very similar to the vulnerability he and his colleague Andreas Mayer reported to PayPal in February 2019. At the time, the company did not consider fixing it a priority.
As Fenske explained, the vulnerability lies in the fact that when you link your PayPal account to your Google Pay account, PayPal creates a virtual card with its own number, expiration date and CVC. When a Google Pay user decides to use PayPal's contactless payment feature, payment is made with that virtual card.
If the virtual card was used only for payment through PoS terminals, there would be no problems. However, the virtual card can also be used for online payments. Probably, the attackers found a way to steal data from virtual cards and use them to pay for purchases in American stores, Fenske said.
According to the researcher, there are three possible ways to steal virtual card data. The first is to spy them on the victim's smartphone / computer screen. The second way is to steal data by infecting the victim's device with malware, and the third is to get the data by brute force. “It is likely that the attacker simply brute-force the numbers and expiration dates of the cards, which could take about a year. CVC doesn't matter, any value will do, ”Fenske told ZDNet.
