Hackers Hijack Currys PC World's eBay Account and Successfully Steal Money from Unsuspecting Shoppers
A couple of weeks ago, online shopping enthusiasts hoping for a bargain were left disappointed after their money was directed the wrong way. Some of them heard that Currys PC World is selling iPhone 11s at a significant discount, and they rushed to the eBay page of the British electronics retailer to take advantage of the deal. Instead of getting Apple's latest phone on the cheap, however, they saw their money end up in the wrong PayPal account.
The details are somewhat scarce, but we do know that at some point before October 19, hackers managed to hijack Currys PC World's eBay account. The retailer has not said how they did it, but given what happened next, we can only guess that the crooks either phished or guessed the login credentials that let them in.
Once they had control over the account, they could have done all sorts of damage. After all, we're talking about a recognizable UK electronics shop that is owned by Dixons Carphone – a company that makes billions of dollars every year. What the criminals did instead, however, was switch some PayPal accounts.
After picking a few of Currys PC World's popular listings, they took the PayPal account to which the payments should be sent and replaced it with one controlled by them. The plan was clever, but it had one major drawback – if people realized that they are sending money to the wrong account, they'd act quickly and will put an end to the scam in no time. That's why, the hackers created a PayPal account that looked almost identical to the real deal. This, coupled with the fact that Currys PC World's team apparently didn't have a policy of monitoring the offending eBay account during the weekends, meant that people remained oblivious, and the scammers managed to walk away with a significant amount of cash.
How bad was it?
As we mentioned already, Currys PC World isn't too generous with the details around what happened and why. What the retailer did reveal was that the money from around 600 orders went to the crooks' PayPal account. UK website thisismoney.co.uk estimated that the total damage ranges between £111 thousand and £500 thousand (between $144 thousand and $647 thousand). With no official confirmation from Currys PC World, however, we can’t really be sure how much money has been siphoned off.
The good news is that the users won't suffer a penny in monetary damages. After the word broke out, news outlets got in touch with Currys PC World, eBay, and PayPal, and all three companies promised that every victim will get their money back. In other words, in this particular case, the corporations will be the ones taking the brunt of the financial impact. For Currys PC World, the damage could be even greater than that.
Quite apart from the fact that this is not the first cybersecurity incident the retailer has suffered, you can't ignore the ease with which the hackers managed to put customers at risk. The hijacking itself suggests that Currys PC World's eBay account might have been left without the additional protection of two-factor authentication, which is a horrifying thought.
The failure to spot the different PayPal account doesn't really speak very well for a company that makes thousands in revenue every day, and the fact that Currys PC World isn't too happy to share details on what happened and what's being done to protect customers in the future is hardly reassuring.