New PayPal scam leaves thousands of users victims

Anton P. | March 25, 2020

Simple faults in both PayPal and Facebook, make it feasible for hackers to carry out the scam that leaves victims without their funds. The fraud is stupidly simple to execute - without forcing or direct threatening, the victims send out the money voluntarily. The scam has already claimed millions of dollars, leaving thousands of people victimized. The fraud’s smart social engineering form, without a doubt, can fool the best of us.

Blackhat community doing the rounds

First discovered in 2016, the scam occurred from time to time over the last few years. But the latest wave of PayPal-Facebook scam is hitting unstoppably, according to researchers from CyberNews. They got in touch with the blackhat hacking community, which claims that they are ready to hit the internet harder than ever. Roughly 15-30 hackers are doing the rounds, gaining $2,500 every single day. According to such rates, the hackers could make about $1,6 million per month, $19 million per year. Most of the scammers are from the US, UK, or Russia, and for most of them, this fraud is their primary source of earnings. At the moment, the UK remains the most targeted country, given the ever-growing usage of PayPal. Yet, this has no geographic boundaries, as the scam can operate everywhere.

The scheme behind it

The scam involves a very tricky social engineering form. The scheme is complicated, but the execution is simple. To perform the fraud, the bad actor needs three things. Stolen Facebook credentials, PayPal account, and a dispensable bank account, otherwise known as a bank “drop”. Because of the number of stolen credentials available in the darknet, there’s no need to try hard. If there are any blocks on Facebook’s and PayPal’s end, the attacker quickly passes on to the next target. According to the CyberNews, the blackhat community found a simple Facebook loophole, that allows them to pass through account security measures. Of course, they disagree to share more details about the vulnerability itself.

With the Facebook credentials stolen, the hacker uses Messenger to reach several friends, asking them for help to transfer money in a very reliable manner. The attacker claims that there are some issues with its PayPal account, and requests if the funds can be sent to a friend’s account instead. Then, the hacker asks if the friend could bank transfer the money back. CyberNews provided a detailed explanation of the scheme.

How the process works step-by-step:

  1. The attacker acquires the credentials of a Facebook account. Due to massive data breaches online, the hacker obtains the credentials from the dark web quite easily.

    PayPal scam message

  2. The hacker sends the private message from a hacked account to one of the chosen friends. The letter looks something like this: “I just sold something online and need to get paid, but something is wrong with my PayPal. Can you help me out? They’ll send you the money on PayPal, and then you can send it to my bank account.”

  3. The “friend” agrees to help and provides necessary PayPal account details. Shortly after, the money appears in the victim’s PayPal account, the friend checks it and sees that the money is indeed there.

  4. The actual payment has been made by the hacker, either from a hacked PayPal account or a fraudulent card setup.

  5. Now, the victim bank transfers the same amount of money to the “friend.” In reality, the victim sends out the money to the hacker’s bank account.

  6. The victim believes that everything is fine. But the next moment they check their PayPal balance, they find out that the received payment has been canceled. This procedure is called a chargeback, which is the standard PayPal system. Chargeback allowed the sender (attacker) to request the amount to be refunded.

  7. Sadly, the victim cannot do the same with their payment to the hacker’s account, as there is no such system with a bank transfer.

  8. The payment makes a few electronic leaps to prevent the tracing, or the attacker converts the money to cryptocurrency during the process. Now, the hacker closes the bank “drop” and the money is his.

Don’t be the next one

Of course, there are some more in-depth technical aspects behind the scam. The attackers somehow bypass Facebook’s and PayPal’s safety checks. Luckily, everyone can prevent themselves from being a victim of this stupidly simple attack. Using a proper multi-factor authentication (MFA) will stop the attacker from getting into your private account. The MFA provides a one-time passcode backup to account’s credentials, and only the owner can receive one. Both Facebook and PayPal have similar settings, and it would be smart to enable it on anything, where this option is available. Furthermore, PayPal is one of the most popular services for hackers to impersonate.

Beyond all of that, being a victim of such a scam is all about common sense. If a fellow friend messages you regarding a similar inquiry, take further action to make sure that it’s them. You should make a call or meet them eye-to-eye. Unless you’re entirely sure, don’t proceed. PayPal itself urges its customers to be aware if they get unexpected inquiries about their accounts, especially requests about transferring large sums of money. Always examine uninvited approaches and check directly with the person who wants to transfer funds on behalf of you.

Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2023 Atlas VPN. All rights reserved.