Researchers at Akamai have discovered a PayPal phishing kit that attempts to steal victims’ identities as well as their financial information. The phishing page looks identical to Paypal’s login page, and asks users to solve a captcha before entering their username and password. The researchers note that asking for the captcha can instill a sense of trust in the user, since they feel like the site is asking for security measures.
After the victim has apparently logged in, the site tells them that suspicious activity has been detected on their account and asks them to verify their payment card information. In addition, the site asks for the user’s social security number, mother's maiden name, and their card’s PIN. After this, the site asks the user to take a picture of themselves holding their passport, driver’s license, or national ID. Akamai notes that this is “well beyond what a typical phishing kit would attempt to gather,” and could be used to create cryptocurrency accounts using the victim’s identity.
The phishing kit also avoids IP addresses that are known to belong to various security companies, in order to avoid being flagged as malicious.
“One of the unique aspects of this phishing kit is its attempt to evade detection by cross-referencing IP addresses to specific domains,” the researchers write. “It provides multiple different checks on the connecting IP address to ensure that it doesn’t match specific domains or originate from security organizations. It does this by comparing the connecting IP address with a list of static IP ranges and domains it has hard-coded in its source files. These IP ranges are the network blocks of companies like Google, Microsoft, Sucuri, etc. It also checks the IP address against an IP reputation site using an API key that is embedded in the code, looking for any IPs that may be flagged as malicious.”
New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.
Akamai has the story.
Here's how it works:
