PayPal account hacked!

Uploaded with ImageShack.us

 

pay carefull attention, especially to parts like:

"This thread has been removed 2x in just the last 15 minutes. A regular has intimated it is my ex's fault the money is gone, even though my ex does not store passwords, nor has he accessed the account in about 2 years.

There's been 7 other accounts in our area compromised in just the last month. What say you PP supporters? Or are you just going to delete this again? I already have a letter being fired off to Ina Steiner.

Bear in mind that Paypal has openly come out with behavior which is, in every way shape and form, organized crime; Racketeering. Simple as that!

PayPal Mulls Expanded Seller Protection for a Price

Furthermore, the notion that Paypal has never been hacked is a pure LIE and FRAUD! It is a deliberately untruthful statement, contrived and executed to deceive members, shareholders and the general public and potiential members from knowing the the real dangers, continual and repeated failures of Paypal!

Here is only one striking example of Paypal being hacked. There are more, I assure you.

Read it carefully:

PayPal Security Flaw allows Identity Theft

"A security flaw in the PayPal web site is being actively exploited by fraudsters to steal credit card numbers and other personal information belonging to PayPal users. The issue was reported to Netcraft today via our anti-phishing toolbar.

The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS)...."

 

See that part ^ about "the genuine Paypal website"? See that part about xss?

If that's not hacking, then nothing is!

But it gets better...

Not only were they hacked for 2 years, they actually LIED and tried to cover it up!

Responsible Disclosure? -? Paypal vulnerable for two years

This has been mentioned in my vids time and again, such as here and here.

So if anyone reading here posts to the thug controlled, paid shill and LIAR filled paypal forums, share those links and videos with them . I'm sure they will love it!

Here are custom tinyurls for this forum and my ebay-paypal critic video channel BTW:

http://tinyurl.com/CAPP-forum
http://preview.tinyurl.com/CAPP-forum

http://tinyurl.com/CAPP-tube
http://preview.tinyurl.com/CAPP-tube

 

Now. specifically to the issue of iTunes and paypal hacking...

It doesn't take a hacker. There is no trick.

It is a security hole "feature" big enough to float the Hindenburg through. It is part of the way PP is designed.

I don't feel like digging up all the links right now, but anyone can search for paypal itunes hacked and similar will see what I mean. There has been an epidemic of that lately. The reason: uncorrected failure with a PP 'feature'.

The end result is the same though: Paypal blames the victim! I should also say that to the victim, the technical details are not important, they still suffer a loss, get lied to, insulted, disrepected, even libeled by cheap, weaseling GANGSTERS and GOONS!

That is one reason why so many people are dedicated to exposing this criminal corp for what is TRULY is. Those paid schills will be the death of eb-pp just as much as Donahoe's schizo-lame-O brainstorms.

 

'Freeware' phishing kit dupes s'kiddies

Dishonour among thieves

By John Leyden

Posted in Crime,

23rd July 2010 10:52 GMT

-- Edited by budnonymous on Tuesday 8th of June 2010 01:28:59 PM

ebaY and Paypal are websites which brings hacking victims together.


Help: Unauthorized Payment Chargeback from CC $999

 

Uploaded with ImageShack.us

budnonymous wrote:

---

 

eBay comes under attack, says Red Condor

01 April 2010

eBay is the victim of a phishing attack that uses its own compromised server, according to email filtering company Red Condor.

In an advisory published today, Red Condor said that a phishing mail sent by scammers reporting an eBay security alert differs from conventional phishing emails. This one tells victims that they must download a Security Shield program, which is in fact a trojan that harvests their passwords and presumably carries out other malicious activities on their machines.

Traditionally, phishing email relies on victims entering information about their accounts on spoof websites designed to look like the targeted company's genuine site. However, this mail directs victims to a web page containing a Download Now button to download software that directly compromises their machine.

continues...

 

However, as usual there is more to it.

---

In case no one was paying attention, the file JS Pdfka-OE you see mentioned in the video as being a false positive by a pink has turned out to be a genuine exploit from the looks of things.

It now shows as malicious on half the major virus scanners via virustotal.com. So anyone who took eb's advice got owned.

Still, no announcement, no retraction, update, clarification... no nothing from eb?
I wonder why that is? After all, it's only literally millions of people's lives potentially ruined?

I can't stress this enough, the file was and likely still is being hosted on ebay very own servers, along with the other 'security shield', which is still being found on about me pages.


Uploaded with ImageShack.us

 

yarrrriiiitte!!! Probably too late.
besides, the CSRF flaw has a bazillion different ways.
And don't forget, above all; ebaY LIES!

PayPal Patches Critical Security Vulnerabilities

PayPal says it has closed a number of security holes uncovered by an Avnet Technologies security researcher, including one that could have allowed an attacker to access PayPal's back-end system for business and premier account reports and acquire a mountain of data.

A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal's business and premier reports back-end system.

The vulnerabilities were patched recently by PayPal after security researcher Nir Goldshlager of Avnet Technologies brought the vulnerabilities to the site's attention. The most critical bug was a permission flow problem in business.paypal.com, and could have potentially exposed a massive amount of customer data.

"An attacker was able to access and watch any other user's financial, orders and report information with unauthorized access to the report backend application," Goldshlager explained. "When users have a premier account or business account the transaction details of their orders are saved in the reports application an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports."

That includes information such as the PayPal buyer's full shipping address, the PayPal transaction ID of the buyer and the date and amount of transaction.

The other vulnerabilities Goldshlager found included an XSS (cross-site scripting) vulnerability affecting the paypal.com and business.paypal.com sites that an attacker could use to steal session IDs and hijack user accounts, as well as a CSRF (cross-site request forgery) bug that exposed user account information. The CSRF vulnerability impacts the IPN (Instant Payment Notification) system, a PayPal service that sends a message once a transaction has taken place.

Once IPN is integrated, sellers can automate their back offices so they don't have to wait for payments to come in to fulfill orders, Goldshlager explained.

"This CSRF exploit method exposes the same information from the buyer as the first vulnerability ... to exploit a CSRF attack that adds a Instant Payment Notification access, the attacker will make an attack that adds his own Website address to the victim account IPN settings, and when there is transaction on PayPal the victim's transaction details will be sent to the attacker's Website," he said.

Goldshlager also uncovered smaller CSRF issues, he said. He reported the bugs to the site in February. According to PayPal, nearly all the problems Goldshlager uncovered were fixed right away.

"As you know, these types of security issues are very complex and we are grateful for our strong working relationship with the security researcher as well our partnership with the security community that have brought these issues to light," a PayPal spokesperson told eWEEK in an e-mail. "We have a shared mission to make PayPal and the Internet as safe as possible for our customers."

-- Edited by budnonymous on Friday 16th of April 2010 06:46:43 AM

That spiffy new page look doesn't seem to be improving safety, or functionality for that matter .

Sort of like when a slumlord landlard hires , oops strike that that, I mean scams on, pimps out or freeloads on a bunch of crackheads to paint the crackhouse.
Along they way they break a few windows and put holes in the roof, defecate in the kitchensink.

hijacked account

Uploaded with ImageShack.us



-- Edited by budnonymous on Monday 17th of May 2010 07:38:12 AM

Fraudsters Use Phishing Attacks to Hijack eBay Accounts
By Ina Steiner
AuctionBytes.com
March 29, 2010

A 20-year veteran of the military named Doug received an email on Thursday informing him that eBay had put a temporary hold on his selling account. The email instructed him to click on a link that led to eBay.com, where he verified his account. Ten minutes later, he received 29 email messages from shoppers asking questions about products that he had not put up for sale, including bicycles and exercise equipment.


continues...

Guess who got a mention?

comments at auctionbytes blog:
eBay Snoozes as Hijacker Lists 52,000 Auctions in 2 Hours
By: Ina Steiner

Thu Mar 25 2010 21:59:12

-- Edited by budnonymous on Monday 29th of March 2010 05:51:28 AM

Faux eBay Live Chat With A VPP Scammer!

Eaten alive!!!
Again the hackers use an ebaY api to authenticate username and password.

omfg!!! That site should be shut down!

Nothing but fraud, with the grandaddy fraudsters of them all protecting the scams for all.

-- Edited by budnonymous on Tuesday 16th of March 2010 10:01:13 PM

New wrinkle on an old scam...

ebaY Crafty Hackers and iPhone Scams

eBay Security Vulnerabilities Found by Researcher

By: Brian Prince
2010-02-17


eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay's online auction site, which eBay has fixed.

eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user's password and get access to that user's account.

The vulnerability is one of several affecting eBay that were recently uncovered and shared with eWEEK by Nir Goldshlager, a researcher with Avnet Information Security Consulting. Among the vulnerabilities are cross-site scripting bugs in the eBay Live Help support page and eBay To Go, which the company fixed by validating user input. In addition, Goldshlager uncovered a blind SQL injection problem in the eBay donations Website.

All of the vulnerabilities have been patched except the CSRF (cross-site request forgery) flaw. According to Chad Greene, eBay's senior manager of global information security, the company has pushed code to the core site to measure the impact of potential fixes for the CSRF problem on the user and will make a decision about how to address the situation in the next three weeks.

"The nature of CSRF means that there isn't a single fix that can be applied in all cases and rolling out the wrong fix could break legitimate user functionality," Greene told eWEEK in an e-mail.

According to Goldshlager, who demonstrated a proof-of-concept attack, the CSRF vulnerability can be exploited to ultimately get control of a user's account.

"When the victim visits my malicious Website I can change his password ... to any password I choose," Goldshlager explained. "I can change the user's password because I am in control of changing his primary phone and personal information details in his eBay account. An attacker can [also] change the secret question [and] answer with the cross-site request forgery vulnerability. Then he can renew the password of the user by using the 'forget password' mechanism."

In an interview, Greene said users can report any security issues they find to eBay's security center, and the site works with members of the research community to uncover any vulnerabilities.

"We work with many members of the security community as well as the security industry we like to do community outreach and educate the user base," Greene said.

 

 

01-10-2010 19:19

Auction Ruling to Set a Precedent

An imminent ruling on a two-year-old hacking case involving Auction, which now enjoys a virtual monopoly in the nation's online open market after taking over Gmarket, is expected to set a precedent in many ways, not least of all about how tolerant the nation will be regarding online businesses. This ruling could make or break the future of the country's Internet business. ED.

By Park Si-soo
Staff Reporter

A Seoul court is expected to make a ruling Thursday on the largest private information leakage case involving the online open market site, Auction, owned by eBay. The system was hacked into in February 2008.

The company and the authorities estimate that nearly 10.81 million or 60 percent of all registered users of Auction (www.auction.co.kr) had their private information including ID numbers, home addresses, phone numbers and even bank accounts exposed to strangers by hackers allegedly from China.

Of them, 146,000 users have taken a class action against the online auction company, each demanding between one and three million won ($880-$2,650) in compensation. Police failed to identify and catch those who penetrated the company's firewall.

What the cyber attack left behind was a long, drawn out court battle between two "victims" Auction and its affected users.

The plaintiffs tried to prove that they had sustained damage as a result of the leak, citing an increase in the number of what appeared to be fraudulent calls to their mobile phones following the incident.

Auction, which was taken over by eBay in 2001, tried to defend itself on the basis that the cyber attack and resultant information leak was an unavoidable "rite of passage" for Internet-based companies at home and abroad.

"No matter how strong a firewall may be, Internet firms are bound to be susceptible to hackers," said an Auction spokesman. "At the time of the incident, we were using a state-of-the-art firewall whose defense capability was not inferior to that of the world's most popular commercial Web sites. If the court holds us responsible, online marketplaces like Auction will lose business, in turn causing a significant impact on the IT industry in general."

The spokesman underlined, "We are also a victim."

Lim Sung-geun, a presiding judge of the case, has remained tight-lipped. Given past rulings on similar cases, however, it's very likely that Auction will be held partially liable.

In November 2008, the Seoul High Court ordered Kookmin Bank to pay 200,000 won in compensation to nearly 1,000 online clients, whose private information was leaked. LG Electronics was also ordered to pay 700,000 won to those who uploaded their private information on its recruitment Web site, whose firewall was also breached. No matter how little the compensation to each user may be, the Auction spokesman says, it could pose a grave threat to its bottom line.

"If the plaintiff wins, it's possible that the remaining 10 million people who have taken no legal action against us as yet would follow suit," the Auction spokesman said.

According to a quarterly report the company submitted to the state financial watchdog in November last year, it had capital of 108.7 billion won as of Sept. 30.

ebay Flash Redirect XSS Flaw Alive and Well

EBay Requires Developers to Change Their Account Passwords

Juan Carlos Perez, IDG News Service

 

It gets more funny:

Passwords compromised for eBay developers

And if that weren't enough:

eBay Developer Important Security Update - Oh Please!

But you never know...
There could be more comedy on the way.

When they get all done, they are likely to have just thrown a few more wrenches into the gears of their blivet-mobile.