Hacker stealing all data from a paypal login using a vacuum

This PayPal phishing scam steals everything!

(All images credit: welivesecurity)

A new, and somewhat ambitious phishing scam impersonating PayPal is going a few steps further in its requests for victims’ information.

The primary objective of most phishing campaigns is often to steal information, however most of them set their goal at usernames and passwords, giving hackers access to the victims’ accounts.

This particular campaign, however, sets its sights much higher, going as far as to request physical billing addresses, dates of birth, phone numbers and even credit/debit card details.

The emails, discovered December 20th by researchers at ESET and pictured below, claim to report ‘unusual activity’ on the user’s account and ask them to confirm their identity by following a link within.

Phishing email claiming to be from PayPal, asking users to confirm their identity

Those who click the link are taken to a fake security page bearing PayPal’s logo which asks the user for help in securing their account. A CAPTCHA box is included, adding to the perceived authenticity of the page. It is somewhat thwarted in its appearance, however, as the message within the box does not quite fit and is cut off at the end.

Fake landing page with PayPal logo and a CAPTCHA input asking users to Secure their account

If the user enters the CAPTCHA and passes through to the next stage, they are asked for their username and password to log into their PayPal account. This is pretty standard, but even after the credentials have been entered, the hackers continue to ask for more…so much more.

The next step comes in the form of a poorly-written account verification page, which apologises to the user and explains their account is still limited and that they must continue to update their information.

Fake PayPal account verification warning

Should the user still not be aware of what is going on and click continue, the campaign takes them through a selection of pages which drain the user utterly dry of their digital identity.

First they are asked for their billing address, phone number and date of birth:

Fake PayPal page asking users to input their personal address, phone number and date of birth

Next, their full credit/debit card details:

Fake PayPal page asking for the user's credit card information

Just in case that wasn’t quite enough, they’re asked for their account number, sort code and mother’s maiden name…Ever had to enter your credit card’s sort code? Me neither.

Fake PayPal page asking for the user's account number and sort code, along with mother's maiden name

Lastly, adding one more layer of insult to the already-monumental injury, the campaign asks the user to link their PayPal account to an additional email account by entering their email address and “Password Email Address”.

Fake PayPal page asking for victim's separate email address and password

Once the victim has given up all their information (with the exception of blood type), they are taken to the least convincing page of the campaign, congratulating them on their restored account access.

Fake PayPal page telling the victim they have restored access to their account

Due to the ambitiousness and sheer quantity of alarm bells this campaign raises during it’s dredging of user information, we expect the success rate to be rather low. But for those uneducated users that don’t notice the errors and suspicious requests for personal information, it will be an absolutely devastating holiday surprise.

PayPal is no stranger to brand impersonation, in fact this year marked the first time it overtook Microsoft as the most-impersonated brand by phishers. But campaigns like these pose a significant threat to its users and without proper education and training, users could see their digital identities irreversibly compromised.

Knowing how to spot false emails like these, especially within the business environment, is only half the battle. It’s all well and good being confident that you won’t fall victim to a phishing attack, but what about every other user in the organisation? How can we be sure their level of competence matches your own?

Security Awareness Training and simulated phishing campaigns are the fastest and most cost effective way to easily reduce your organisation’s cyber threat surface. At Phishing Tackle, we even went as far as to create a free tool which shows how many of your users are susceptible to a phishing email, check it out here: Free Click-Prone® Test

2019 saw successful phishing campaings increase dramatically and 2020 has no reason to show otherwise. Make sure your users are aware of how to spot phishing emails and reduce your chances of becoming the next victim.

We offer a free trial of our Security Awareness Training and simulated phishing platform, check it out today.

Recent posts