A new PayPal SMS phishing campaign is making the rounds, according to Paul Ducklin at Naked Security. The text messages in this campaign purport to come from PayPal and inform recipients that there’s been unusual activity detected on their PayPal accounts.
If a user clicks on the link provided in the message, they’ll be taken to a legitimate-looking phishing site that spoofs PayPal’s login process. After providing their email address and password (which are sent to the attackers), users are asked to enter their mother’s maiden name, their home address, and finally their credit card and bank details. After this, the site will redirect the user to PayPal’s real homepage in order to remove any suspicion.
An interesting aspect of this particular campaign is that the phishing site will remember victims’ IP addresses. If a victim tries to revisit the site to investigate it further, they’ll immediately be redirected to PayPal’s homepage.
PayPal phishing campaigns via email are extremely common, but Ducklin explains that SMS phishing gives the attackers several advantages.
“SMS messages are short and simple, with no room for “Dear Sir/Madam”, so people don’t expect to be greeted by name; there are usually few pleasantries or polite words; and there’s no need for fancy layout, icons, fonts or other typographical and artistic details,” Ducklin writes. “As a result, crooks can create believable fakes, with no obvious mistakes, fairly easily.”
The campaign also makes use of subdomain spoofing, which is a technique used to make phishing URLs look more believable. When you register a website, the combination of the top-level domain and the second-level domain must be unique. Using “paypal.com” as an example, “paypal” is the second-level domain and “.com” is the top-level domain. You can’t register a website that starts with “paypal.com,” but you can tack on subdomains to your own unique domain. Consequently, attackers can register a unique “example[.]com” and create the subdomains “paypal” and “com,” so that the URL appears as “paypal[.]com[.]example[.]com.”
This technique is used in all kinds of phishing campaigns, but it’s particularly effective when it’s used against mobile devices since it’s harder to see the entire URL.
It’s worth noting that the phishing site in this campaign is very well-crafted, and the only visual element that could tip off the user is the URL. New-school security awareness training can teach your employees to be suspicious any time they’re asked to enter sensitive information, even if the source appears legitimate.
Naked Security has the story: https://nakedsecurity.sophos.com/2020/02/05/paypal-sms-scams-dont-fall-for-them/