Akamai uncovers sophisticated PayPal phishing scam

By Dylan Bushell-Embling
Wednesday, 20 July, 2022

Attackers are exploiting benign WordPress sites to execute a highly sophisticated PayPal phishing scam that could be used for total identity theft, Akamai researchers have discovered.

The researchers discovered the attack by operating a WordPress honeypot, which the attacker penetrated by guessing or brute-forcing the administrative WordPress credentials used to set up the sting.

The attacker ‘parasites’ WordPress sites by exploiting plug-ins or weak admin credentials, and uses them as a host to upload the PayPal phishing kit.

The kit includes code attempting to evade detection by cross-referencing IP addresses to specific domains, researchers found. It does this by comparing the connecting IP address with a list of static IP ranges and domains it has hard-coded in its source files, which include the network blocks of companies like Google, Microsoft and Sucuri.

The victim is presented with a captcha challenge to make the phishing site appear more like a legitimate PayPal site, and is then followed by an email address and password prompt for harvesting account credentials.

But this kit goes even further by introducing a new site claiming that PayPal has witnessed some unusual account activity, to lure victims into giving up even more information including credit card information, ATM PIN and even mother’s maiden name.

The next screens go even further, asking for an email address and password, scans of passwords, driver’s licences or national ID cards — with victims asked to upload the photo with a selfie, which could be used to create cryptocurrency accounts under a victim’s name — and other extremely sensitive information.

In a blog post, Akamai’s security research team said the attack relies heavily on social engineering.

“People judge brands and companies on their security measures these days. Not only is it commonplace to verify your identity in a multitude of ways, but it’s also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies,” the blog post states.

“By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing ‘trust’ by utilising ‘new security measures’ like proof of government identification, they are making the victim feel as if they are in a legitimate scenario. The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain.”

Image credit: ©stock.adobe.com/au/kaptn