An unknown number of PayPal users have been tricked into giving away social security numbers, credit card details and other highly sensitive personal information. Hackers deceived their victims by injecting and running malicious code on the genuine PayPal website by using a technique called Cross Site Scripting (XXS).
The hackers contacted target users via email and conned them into accessing a particular URL hosted on the legitimate PayPal website. Via a cross site scripting attack, hackers ran code which presented these users with an officially sounding message stating, “Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to a Resolution Center.” Victims were then redirected to a trap site located in South Korea.
Once in this “phishing website”, unsuspecting victims provided their PayPal login information and subsequently, very sensitive data including their social security number, ATM PIN, and credit card details (number, verification details, and expiry date).
One of the websites of Microsoft France was attacked this weekend by a group of Turkish hackers who defaced the site by Web Server intrusion. TiTHack, the handle used by the hackers, defaced experts.microsoft.fr by exploiting a vulnerability found either in IIS6 or in one of the web applications running on the site.
The attack seems to have been done “for fun”. However, the defacement has already caused Microsoft France significant embarrassment further
damaging the corporation’s global reputation. Bloggers immediately picked up on the defacement and were amused at how long it took Microsoft to fix the problem. At time of writing, the website remains unavailable after at least 1 day in its state of defacement.
The Acunetix Web Vulnerability Scanner automatically audits web applications and checks whether these applications are secure from exploitable vulnerabilities to such hack attacks as website defacement. An automated check of Microsoft’s and PayPal’s web applications (using Acunetix WVS) could have saved the companies from denting their reputation and credibility.