23 December 2019

An ongoing PayPal phishing scam aimes to steal a large swath of data


An ongoing PayPal phishing scam aimes to steal a large swath of data

Researchers at ESET are warning of an ongoing phishing campaign targeting PayPal customers that attempts to steal not only access credentials to the payment service, but also victims’ financial information. The phishing massages are camouflaged as 'unusual activity' alerts warning users of suspicious logins from unknown devices prompting them to take an immediate action and secure their accounts.

"Please log in to your PayPal account and complete the steps to confirm your identity. To help protect your account, your account will remain limited until you complete the necessary steps," the phishing emails say.

Once the victim clicks on the link in the phishing spam message, they presented with a PayPal-branded page reiterating the claimed account compromise and asking them to confirm their 'informations' by entering a CAPTCHA code displayed on the page.

“The manufactured sense of urgency is not the only telltale sign to tip you off that something is amiss. Other giveaways include the odd URL (though partly obfuscated here for security reasons), substandard English, chopped-off letters, and the use of a CAPTCHA,” the researchers explained.

If the target enters a CAPTCHA, a fake login interface is displayed imitating a genuine two-step PayPal login process. Once the victim enters username and password, they asked to hand over a range of sensitive information, including their credit or debit card data, access credentials to the bank account linked to the card and, lastly, the login to their email account.

After successfully collecting all of sensitive info from their victims, the campaign’s operators send them to a page congratulating them for restoring access to their accounts, assuring them that their "accounts will be verified in the next 24 hours."

In the course of the campaign the attackers used multiple phishing domains with names designed to resemble an official PayPal site. To add more credibility to the fake sites, the attackers used authentic SSL (Secure Sockets Layer) certificates. One of the domains hosting the scam was registered using NameCheap on December 5, with the registrant info protected using WhoisGuard and having a Cloudflare SSL certificate valid between December 4, 2019, and October 9, 2020, the researchers said.

“It’s worth noting that we’ve found no evidence that this campaign results in the installation of malicious software on victims’ machines. And, as this scam starts with a phishing email, the usual precautions will go a long way towards helping you stay safe,” ESET noted.

Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020