F-Secure: Man-in-the-middle PayPal attack in the works

Researchers at F-Secure are warning about a potential man-in-the-middle attack targeting PayPal users.

According to the security firm's blog today, F-Secure was alerted about a phishing site that is identical to the real PayPal log-in page. The bogus site, which communicates with both the user and the legitimate PayPal site, is designed to steal usernames, passwords and credit card information.

"Luckily, we were alerted to this before it was actually spotted in the wild," the blog said. "We imagine the phisher is still working on going live with the site as we write this."

Experts contend man-in-the-middle attacks likely will become more common in the coming months. In July, experts revealed that Citibank was the target of such an attack, considered the first of its kind.

"There's some trend out there with the crooks trying to prove a point - and probably trying to steal money too - that they can get around these front-end authentication measures," Avivah Litan, a Gartner analyst who specializes in phishing attacks, said today.

The attacks are particularly dangerous because neither party is aware they are happening, she said.

"The user doesn't know there's anything between them and the service provider, and the service provider doesn't know it either," Litan said. "It's intercepting the traffic. It can get around two-factor authentication. It's scary because it eliminates the effectiveness of most of the security solutions being put in place today."

PayPal spokeswoman Sara Bettencourt said today that despite the sophistication of man-in-the-middle attacks, users should still apply common sense to avoid them, such as avoiding links found in phishing emails.

"PayPal will never send an email to a user with a link asking them to enter in their username and password," she said.

In addition to educating users, companies must deploy real-time monitoring, such as checking on the health of a user's machine and implementing public key infrastructure (PKI), to stop the attacks, Litan said.

Organizations should also beef up their back-end fraud detection controls, which would let them detect unusual behavior stemming from transactions or log-in attempts, Litan said, adding that PayPal has strong back-end models in place.

Tim Renshaw, vice president of products at San Mateo, Calif.-based fraud authentication provider TriCipher, also recommended that companies employ a two-way mutually-authenticated channel in which the client also presents a certificate to the server before the SSL session is established.

But many service providers have been hesitant to implement this because they do not want to erode the customer experience, he said.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.