Several pieces of personal information, including official identification documents and images, are being attempted to be stolen from victims by a recently found phishing kit that targets PayPal users.
The number of people and businesses using PayPal as a means of online payment is above 400 million.
The kit can partially elude detection because it is hosted on trusted WordPress websites that have been compromised.
Compromising websites with flimsy login
The phishing kit was discovered by Akamai researchers when the threat actor placed it on their WordPress honeypot.
The threat actor picks out websites with weak security and brute-forces their login using a list of widely used credential pairs that may be accessible online. Utilizing this access, they can upload the phishing kit to the compromised site by installing a file management plugin.
Akamai found that one tactic the phishing kit employs to evade detection is cross-referencing IP addresses to domains belonging to a certain group of businesses, including some organizations in the cybersecurity sector.
Authentic-looking page
The researchers discovered that the creator of the phishing kit made an attempt to make the bogus page appear expert and closely resemble the authentic PayPal website.
One thing they saw was that the author rewrote the URL using htaccess, so it didn’t end with the extension of the PHP file. This contributes to a crisper, more professional appearance that imparts authority.
The forms’ entire graphical interface is also made to match PayPal’s theme, giving the phishing pages a genuine-looking appearance.
Process of stealing data
The first stage in stealing a victim’s personal information is to provide them with a CAPTCHA challenge, which gives them a false sense of legitimacy.
At this point, the threat actor receives the victim’s email address and password, which are then used to get into their PayPal account.
But this is not all. The threat actor requests additional verification information while claiming that there has been “strange activity” connected to the victim’s account.
A multitude of personal and financial information, including payment card information and the card verification code, physical address, social security number, and mother’s maiden name, are requested from the victim on a following page.
The phishing kit seems to have been designed to collect as much personal information as possible from the victim. This scam requests the social security number, mother’s maiden name, and even the card’s PIN for use at ATMs in addition to the card information generally obtained in phishing scams.
Even if the threat actor has gathered a significant amount of personal data, they are not done. The victim is thereafter asked to upload formal identification documents to verify their identity.
The upload process comes with detailed instructions, just as PayPal or a real provider would require from its users, and the allowed documents are a passport, a national ID, or a driver’s license.
All of this information could be used by cybercriminals for a range of illegal activities, from identity theft to money laundering (by setting up cryptocurrency trading accounts, registering businesses, and so forth) and preserving anonymity when making purchases to taking control of banking accounts or copying payment cards.
The file upload component of the phishing kit has a vulnerability that, despite the phishing kit’s appearance of sophistication, might be used to upload a web shell and take control of the compromised website.
Given the enormous amount of information sought, the fraud might be immediately apparent to some consumers. However, Akamai researchers think that the kit’s effectiveness is due to this particular social engineering component.
They describe how identity verification is commonplace today and may be accomplished in a variety of methods. The researchers claim that “people judge brands and companies on their security procedures these days.”
The implementation of the captcha challenge indicates right away that further verification can be anticipated. The threat actor gains the victim’s trust by employing techniques that are similar to those of reputable providers.
Checking the domain name of a website that requests sensitive information is encouraged for users. They can also manually type the address of the service’s official page into their browser to see if identity verification is required.
