Researchers at ESET are warning of an ongoing phishing campaign targeting PayPal customers that attempts to steal not only access credentials to the payment service, but also victims’ financial information. The phishing massages are camouflaged as ‘unusual activity’ alerts warning users of suspicious logins from unknown devices prompting them to take an immediate action and secure their accounts.
“Please log in to your PayPal account and complete the steps to confirm your identity. To help protect your account, your account will remain limited until you complete the necessary steps,” the phishing emails say.
Once the victim clicks on the link in the phishing spam message, they presented with a PayPal-branded page reiterating the claimed account compromise and asking them to confirm their ‘informations’ by entering a CAPTCHA code displayed on the page.
“The manufactured sense of urgency is not the only telltale sign to tip you off that something is amiss. Other giveaways include the odd URL (though partly obfuscated here for security reasons), substandard English, chopped-off letters, and the use of a CAPTCHA,” the researchers explained.
If the target enters a CAPTCHA, a fake login interface is displayed imitating a genuine two-step PayPal login process. Once the victim enters username and password, they asked to hand over a range of sensitive information, including their credit or debit card data, access credentials to the bank account linked to the card and, lastly, the login to their email account.
After successfully collecting all of sensitive info from their victims, the campaign’s operators send them to a page congratulating them for restoring access to their accounts, assuring them that their “accounts will be verified in the next 24 hours.”
In the course of the campaign the attackers used multiple phishing domains with names designed to resemble an official PayPal site. To add more credibility to the fake sites, the attackers used authentic SSL (Secure Sockets Layer) certificates. One of the domains hosting the scam was registered using NameCheap on December 5, with the registrant info protected using WhoisGuard and having a Cloudflare SSL certificate valid between December 4, 2019, and October 9, 2020, the researchers said.
“It’s worth noting that we’ve found no evidence that this campaign results in the installation of malicious software on victims’ machines. And, as this scam starts with a phishing email, the usual precautions will go a long way towards helping you stay safe,” ESET noted.
Security feed from CyberSecurity Help