Researchers at cybersecurity firm Akamai warned about a new complex PayPal phishing scam abusing benign WordPress websites.
According to a recent Akamai’s report, the researchers found a phishing kit targeting PayPal users in order to steal their identity. Using brute-force attacks, the threat actor compromises legitimate WordPress websites and injects this new phishing kit into them, thus partially avoiding detection. The kit injection is carried out through the installation of a certain file management plugin.
Another avoiding detection method used by the scammers is a cross-referencing of the IP addresses to a specific companies’ domains, including ones in the cybersecurity industry.
The phishing kit attempts to gain substantial access to a victim’s identity and information by mimicking new security practices. In particular, the tool requires users to provide their banking data, government documents and photos, and even email passwords to “confirm” their identities.
The phishing kit creator made everything possible to make the fraudulent page look exactly like the original PayPal website, including using similar graphical interface elements. Furthermore, using htaccess, he has rewritten the URL in such a way that it didn’t end with the extension of the PHP file.
First, victims are required to solve the CAPTCHA challenge, what gives them the false sense of security. Then they need to log into their PayPal account using their email address and password. Needless to say, this data goes directly to the attacker.
After that, users are told that the “unusual activity” in their accounts has been spotted, and more verification information is needed. The phishing kit requires additional personal and financial details, including payment card data, physical address, social security number, and mother's maiden name. Then it asks victims to link their email account to PayPal. Eventually, the phishing kit requires the users’ official identification documents.