This turns PayPal's ease of payment on its head: one click is all an attacker needs to empty your PayPal account.
This new PayPal email scam is VERY tricky
A security researcher has revealed a vulnerability in PayPal that he says has not yet been patched. Attackers can use it to empty victims' PayPal accounts by tricking them into clicking on a malicious link. Technically, this is called a clickjacking attack.
“The PayPal clickjack vulnerability is unique because hijacking a click is typically the first step in a way to launch another attack,” Brad Hong, vCISO, Horizon3ai, told Lifewire via email. “But in this case, with a single click, [the attack] helps to authorize a custom payment amount set by an attacker.”
Stephanie Benoit-Kurtz, associate professor in the Department of Information Systems and Technology at the University of Phoenix, added that clickjacking attacks trick victims into completing a transaction, which then triggers a host of other activities.
