Simple loopholes in Facebook and PayPal helping victims to lose millions in scam
Blackhat hackers tell us about the scam that’s hitting the internet harder than ever, stealing roughly £1.2 million ($1.6 million) per month from regular Facebook users
No, they weren’t hacked or forced or threatened – these victims all sent out the money voluntarily to their Facebook friend’s bank account, after receiving the same amount in their PayPal accounts.
The only problem? The money they received didn’t stay in their PayPal accounts for long. Within a few days, all that money was removed from their accounts. And because they sent it via bank transfer, they couldn’t get their money back.
Turns out their “friend” wasn’t really someone they knew at all. It was a hacker that had gotten into their friend’s accounts, asking around until they found someone willing to participate in the complicated scheme.
But rather than this being another cautionary tale about using social media more carefully, our sources – people inside the blackhat hacking community – tell us that simple faults with Facebook, PayPal and the UK banks themselves make it possible for hackers to carry out the scam. These hackers are reportedly making roughly £2,000 per day, per hacker, with about 15-30 hackers currently running this scheme every single day.
The scam that keeps on giving
First seen in early 2016, this scam has popped up from time to time over the last few years. However, the latest wave of the PayPal-Facebook scam has been lasting for roughly two months, impacting thousands of users and gaining the hackers a cool £40,000 ($53,000) every single day.
If we follow those rates, we can see that hackers are making about £1.2 million ($1.6 million) per month, or £14.4 million ($19 million) per year.
So why is it so effective?
This is largely due to its complexity, since it involves up to three different victims. But beyond that, we can probably pin it down to the following reasons:
- People don’t understand that PayPal has a chargeback feature, and that just because you have money in your PayPal account now, that doesn’t mean that it’ll stay there.
- People underestimate the possibility that their friends’ accounts can get hacked, and the people that they’re talking to on Facebook may not be who they say they are.
Increase your online security and privacy by sending your data through an encrypted tunnel.Protect your data now
The mechanics of the scam
When we’re talking about the techniques the hackers are using to scam people out of millions of dollars, it’s important for us not to get too specific so that we end up teaching other hackers how to pull off the same scam.
There are two slightly different versions of the scam. In the first version, the hacker only needs two victims. The first victim is the person whose Facebook account gets hacked. The second victim is the target – the only person who loses money at the end.
- The hacker will first get into the compromised Facebook account and ask 5-6 of “his” friends to see who is willing to send them money. The hacker asks this person to receive money in their PayPal account, then send the same amount to the hacker’s bank account. (The most likely reason given by the hacker is that their PayPal account is having some problems and they can’t withdraw the money.)
- The hacker then sends the target money from his/her PayPal account.
- Once the target sees the funds have entered their PayPal account, they’ll send the money via bank transfer to the hacker’s bank account.
- After a day or two, the hacker does a chargeback on PayPal for money s/he sent to the target via PayPal.
- The money is eventually removed from the target’s PayPal, and that person has lost out on the amount s/he transferred to the hacker.
- After sending the money to a different account or converting it to cryptocurrency, the hacker closes the bank “drop”.
Numbers-wise, it would look like this:
- Hacker sends the target $400 via PayPal. The target now has a $400 surplus.
- The target sends $400 via bank transfer to the hacker’s bank account. The target now has zero balance (they didn’t lose or gain any money).
- The hacker does a chargeback, and the money is removed from the target’s PayPal account.
- The target has now lost $400.
In the second version, the hacker uses a hacked PayPal account. The hacker is now sending money from a hacked PayPal account, instead of their own PayPal account. When the real PayPal owner gets back into his account, he’ll be the one initiating a chargeback to recover the money taken from his account.
In order to complete the scam, the hackers need three things:
- Stolen Facebook credentials
- Stolen PayPal credentials, or their own
- A disposable bank account, known as a bank “drop”
If there are any blocks in any of these services, the hackers will simply move on to the next target. When we asked our sources what they do if there’s any problem, they simply replied that there’s no point in trying too hard. Because of the amount of stolen credentials they have access to, and the good rate of success, they simply move on to the next target.
But far from being merely “tools” in the hacker’s arsenal, these organizations have their own role in helping make the hackers’ scam easier.
How Facebook’s simple loophole is helping scammers
Try to log into your Facebook account from a different device or a new, clean browser and a new wifi network. Immediately, Facebook notices something different and throws up a security measure, asking you to confirm your identity.
But how are these scammers able to go through so many stolen Facebook credentials? The answer: they found a loophole. A simple, simple, very simple loophole. Of course, we’re not going to tell you what it is exactly (we don’t want to help scam more people), but we decided to try a few methods ourselves.
First I tried to log in with a new Firefox browser (normally I use Chrome), and I got blocked. So then I got on our test iPhone (I’ve only ever used Android) and connected to a new network. I tried to log into my Facebook through web and mobile, and immediately I got this screen:
I tried this method on Messenger afterwards – because actually, for the scam to work, you only need the ability to message people on Facebook. I got the same screen:
On the fourth try, I unfortunately got this message:
Blocked. After a quick brainstorming session, we decided to try again with my colleague Rimas’ account, but following a new path.
Immediately we were able to bypass Facebook’s lax security:
If I was a scammer, that means that with stolen credentials and even a new device and network, I am able to go around Facebook’s pretty basic security.
This is step 1 of the scam, and Facebook made it pretty easy.
We notified Facebook of the loophole and asked them for comment on this story, but we didn’t receive any answer from them at the time of publishing.
PayPal’s very simple security bypasses (plural)
We recently reported about the 6 critical vulnerabilities we discovered on PayPal’s payment system. To recap, we were able to bypass their version of default two-factor authentication (2FA), which comes up when something suspicious happens with an account, just like with Facebook above. In speaking with Forbes, PayPal claimed that it wasn’t really a 2FA bypass, and that it wasn't a big problem. Besides that, we were also able to fully change an account holder’s name, phone number, and other details. That way, we can easily lock someone out of their own PayPal account.
We patiently explained all of this to PayPal – and they didn’t seem to care (in the Forbes article, PayPal stated that they “found that the submissions did not pose a threat.”) Even worse, because we had to report these issues on HackerOne, we had our Reputation scores lowered on that platform (even while they secretly patched some of the smaller issues in the background).
You see, with PayPal’s default 2FA system, if you try to log in with someone else’s account (like these scammers are doing), you’ll see this security step:
Normally, that would be that. Since the scammers don’t have the account holder’s phone, they shouldn’t be able to advance beyond that step. But – that’s where PayPal is failing. Using a very simple bypass, we were able to get around this (and since it hasn’t been patched yet, we obviously can’t show you our POC).
All we needed was to do a little technical wizardry in the background, and we’d eventually get a permission token to access the account – no device needed, and the default security check (known as “authflow”) skipped:
Beyond that, PayPal is also aware that its chargeback feature is often abused.
This allows for any payments made to one PayPal account linked to a credit card to be reversed. Optimistically, it’s supposed to be used to stop fraud or protect buyers when they either didn’t get anything from the seller, or it was unsatisfactory in some way.
But since PayPal accepts a large amount of chargebacks, it’s an easy and straightforward method for scammers to get back the money they gave to the target in Version 1 of the scheme.
On the other hand, if they used Version 2 where they hacked someone else’s PayPal account and made those transfers, then a chargeback is the only way for that person to get the money back into their account. Of course, it ends up hurting the main victim in either case.
When we asked for PayPal’s take on how scammers are using their platform to carry out this scam, a PayPal spokesperson stated:
“We never lose sight of the fact that we are entrusted to look after people’s money. We take this responsibility very seriously and use advanced fraud and risk management tools to keep our customers and their payments safe.
“We go to great lengths to protect our customers, but there are still some basic precautions we should all take to avoid scams. We advise customers to be wary if they receive unusual requests about their PayPal account, especially requests to move large amounts of money, even when the request appears to come from someone they know.”
They further warn their customers to be more vigilant: “Always question uninvited approaches in case it's a scam, and check directly with the person concerned to verify the request. And never accept or move money on behalf of someone else.”
The too-convenient British bank drops
In order for this scam to work, the hackers need access to disposable bank accounts. These bank accounts can be created in a matter of minutes, usually online, and they can then be quickly closed after the hackers have received their money.
Unlike PayPal’s system, there’s no dependable way for defrauded victims to get their money back once they’ve transferred it out of their bank accounts. And that’s only one of the problems when it comes to fraudulent bank transfers.
The British consumer rights group Which? has been working hard to get banks to do more to protect defrauded customers. The main issue extends beyond just these prepaid bank accounts, which hackers call bank “drops.” The bank situation in general has the following problems:
- They don’t reimburse defrauded victims, even when these victims are clearly not to blame
- They have lax account opening processes, making it easier to open disposable bank drops
- These banks don’t check the name of the payee against the account number (if so, the victim would get notified immediately that the account doesn’t belong to their real friend)
- They don’t share information across banks, making it easier for hackers to continuously open bank accounts with the same information
- They also don’t have a good process for tracing money as it moves through the system (which would make it easier to track down defrauded funds)
Who are these scammers anyways?
According to our sources, most of the scammers seem to come from the US, UK and Russia. There is a smaller group of scammers that originate from Kenya.
For about 80% of them, this is their main job. They enjoy doing this for the simple reason that it’s easy and effective. There seems to be a group of roughly 15-30 hackers involved in this scam, and they estimate that they’re making roughly £2,000 per day per hacker. That’s £1.2 million per month or £14.4 million per year.
Protect yourself now – because no one else will
Unfortunately, in light of the loopholes or easily-bypassed security measures from Facebook, PayPal and the banks themselves, everyday people will have to be more vigilant in how they behave online.
When it comes to the services that you’re using – Facebook and PayPal – there are some specific ways to protect yourself (beyond the generic cybersecurity advice floating around the internet). Again, if there’s a problem with any of these steps, the hackers simply move on to the next victim without trying too hard.
#1 Add Google Authenticator to your Facebook account
In our team, we tried to bypass Facebook’s basic security system a few times. One of our colleagues had Facebook’s two-factor authentication set up on his account. But that didn’t seem to matter, since it seems we were able to get around that security step with no problem, an issue we're still looking into.
Another colleague also had two-factor authentication on his Facebook account, but with Google Authenticator. We were not able to bypass that, since we couldn’t get in without entering the code on his device. Therefore, for better security, we recommend you use Google Authenticator on your Facebook account – at least until Facebook can fix this simple loophole.
#2 Keep your PayPal empty and link a virtual card
Don’t keep any money in your PayPal. Remember, in Version 2 of the scam, hackers are looking for PayPal accounts with balances they can send to the target. If those accounts have no balances, then the hackers won’t bother and they’ll move on to another account.
Similarly, since you’ll likely need to link a card to your PayPal account, use a VCC – a virtual credit card. Most prepaid and standard banks already support virtual cards. Even if they don’t, you can use services like Privacy.com to get around that. Create a virtual card for each “shopping spree”, or simply turn off your virtual card when you aren’t actively using it. That way, the hackers won’t have any access to your funds, even if they get into your account.
#3 Bank smarter
I wish I could give you better advice than the generic “bank smarter” I’m going to be talking about, but that’s because banks are a heavy, bureaucrat-y, rusty machine that changes slowly. Banks need to fix banks, and there aren’t any real fixes you can do by yourself if you’ve already sent money via bank transfer.
If you send money in euros, there may be some options like the SEPA SCT Recall requests that function similar to a chargeback for bank transfers. Beyond that, we can only offer advice about this scam in general: when your friend suddenly messages you and claims to have a problem with PayPal, it would be better to be more skeptical, not less.
In these situations, you can simply do the very archaic thing of calling up your friend and confirming the situation before transferring large sums of money. That requires a bit of forethought, and maybe a slight annoyance if your friend actually has a PayPal problem, but since you’re doing them a favor it should be no worry.
When it comes to your online activities, however, it really is much better to be safe rather than sorry.