Cyber Incident Victim: PayPal
Date:
Jan 2014
Location:
United Kingdom
Summary
Pro-Syrian hackers compromised eBay security personnel's communications during incident response to an attack targeting the company's UK websites, including PayPal. Attackers intercepted internal emails and potentially accessed employee devices, enabling them to redirect web traffic and eavesdrop on response coordination. The breach highlighted vulnerabilities in relying on standard communication channels during security incidents, as compromised accounts or systems allowed adversaries to monitor mitigation strategies. This incident paralleled similar phishing attacks against other major technology firms, exposing systemic risks to sensitive data despite extensive employee training and corporate security resources.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2014, Pro-Syrian hackers compromised eBay's incident response communications during an investigation into a separate attack targeting eBay and PayPal UK websites. Evidence emerged showing intercepted emails between eBay security personnel, including a February 1 message from senior manager Paul Whitted warning colleagues about potential compromise of their conference call details. Whitted's email, sent from his iPhone, expressed concern that attackers with remote access to email accounts or laptops could monitor their incident response coordination. Security analyst Jacob Williams assessed the communication as authentic, indicating attackers had infiltrated at least one responder's account or device during the active security breach. This allowed simultaneous eavesdropping on remediation efforts while attackers maintained control over website redirections affecting eBay and PayPal users. The initial compromise vector was suspected to be phishing targeting responders, potentially exploiting vulnerabilities in Java or Flash through compromised devices, though definitive confirmation of the intrusion method remained unspecified.
The incident highlighted critical operational security failures, as responders inadvertently used compromised channels for coordination, enabling attackers to monitor defensive measures. This breach occurred shortly after Microsoft disclosed a similar late-January 2014 spear-phishing campaign that compromised employee accounts, exposing law enforcement inquiry documents and potential customer data. Both incidents demonstrated vulnerabilities in corporate communication systems during crises, with attackers exploiting trusted channels to maintain persistence. The eBay/PayPal attackers successfully intercepted sensitive internal discussions about containment strategies, though specific technical details about website redirections or customer impact weren't disclosed. Security professionals emphasized the necessity of out-of-band communication protocols during incident response to avoid exposing remediation tactics to adversaries. These consecutive breaches at major technology firms underscored systemic challenges in protecting communication channels against determined phishing campaigns, even among trained security personnel.