The threat actor relies on a fake PayPal login page—which looks deceptively similar to the real one—to dupe their targets into providing all kinds of sensitive information. Unlike most phishing attacks, the attackers do not aim to only steal their victims’ login credentials. They use a counterfeit PayPal page to trick victims into providing their credit card information, social security numbers, government IDs (such as passports and driver’s licenses), and even selfies. To avoid detection, the phishing kit is designed to cross-reference visitors’ IP addresses to specific domains, ensuring they don’t originate from cybersecurity firms.
Hackers Fell for Akamai’s Honeypot
In the blog post, Akamai security researchers revealed that they first noticed the phishing kit after it appeared on one of their WordPress honeypots. A honeypot is a decoy—a secure environment created to attract attacks from threat actors. Researchers use honeypots to study hacking and other malicious activities. The researchers explained that the attackers target vulnerable WordPress sites, or those with weak admin login credentials, and brute force their way into them. Once compromised, the attackers install a file management plug-in, which is then used to upload their phishing kit. This effectively transforms the site into an information harvesting tool. Rather ingeniously, the phishing kit cross-references visitors’ IP addresses to avoid being detected. The researchers found that the kit conducts multiple checks to ensure that IP addresses do not match that of known security organizations or other specific domains. “It does this by comparing the connecting IP address with a list of static IP ranges and domains it has hard-coded in its source files,” they explained. “These IP ranges are the network blocks of companies like Google, Microsoft, Sucuri, etc. It also checks the IP address against an IP reputation site using an API key that is embedded in the code, looking for any IPs that may be flagged as malicious.”
Fake Site Uses Convincing Interface to Trick Victims
The phishing kit’s convincing interface, which the researchers described as “immaculate,” is a critical part of the campaign. The fact that the fake PayPal site’s URL does not have “.php” makes it appear “more polished and professional” to identity theft victims. Also, visitors to the fake PayPal site have to complete a CAPTCHA verification challenge, which adds an air of legitimacy to the platform. Payment sites usually have CAPTCHA and other security steps. After entering the CAPTCHA code correctly, the user receives a prompt to enter their email address and password. This information goes directly to the threat actor. The researchers noted that while most phishing attacks end at this stage, this campaign uses social engineering tricks to pry for more sensitive data.
Stolen Information Can Lead to Total ID Theft
Once a user enters their email address and password to sign in, they receive an alert saying PayPal has noticed unusual activity on the account. Consequently, the site directs the user to provide more information, including their credit card information. In an actual security verification scenario, it would suffice to provide your Card Verification Value (CVV). However, in this case, the site asks for more data, including the card number, holder’s name, validity data, and CVV. The user must also provide their full name, address, phone number, and date of birth. The attack does not stop here. In the next step, the victim is asked to upload a government ID. They are given the option of uploading an image of their passport, national ID, or driver’s license. After this, they must upload a selfie of themselves holding up their government ID. This process adds some credibility to the scam, since uploading a selfie is a security requirement on some payment platforms. In reality, the victims are simply handing over a trove of personal data that can lead to identity theft. “Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name,” the researchers noted. “These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes.” The nature of cyber threats continues to evolve, becoming more sophisticated and pernicious. It is important to learn about the latest threats and actively take measures to safeguard your data. If you found this story interesting and want to learn how to protect your PayPal account from scammers, you’ll find some useful tips in our article about how to secure your PayPal account.