PayPal-themed phishing campaigns are nothing new, but they are more and more legitimate-looking as time goes by.
Researchers with OpenDNS Labs have spotted one such campaign that started on January 26th, and some of the spoofed PayPal login pages are still up.
As per usual, potential victims are lured to the fake pages with emails impersonating the popular e-payments company, usually claiming that there is a problem with the user’s account, and ostensibly offering a direct link to it.
Following the link leads the victims through a chain of pages created to extract as much personal and financial information from them as possible:
The fake pages are/were hosted on a number of domains with “paypal” in their name – redirectly-paypal[.]com, security-paypal-center[.]com, x-paypal[.]com, and so on – and the domains are hosted with various providers.
Some of these spoofed websites are virtually indistinguishable from the legitimate PayPal site, as they use the same or similar images, text and color scheme. In one example, the attackers copied HTML code directly from the legitimate site.
This particular phishing campaign is still active, with at least one of the fake websites still up and running. PayPal has been notified of this, and is working on taking down all of them.
“Some of the indicators to look out for to make sure you don’t fall victim to this type of attack is to verify that the site is using HTTPS and a legitimate SSL Certificate from the organization you are visiting. All of the spoofed sites we saw served their content over HTTP, which is highly uncommon for money transfer sites,” the researchers advise.
“Other items to notice are variations in the layout from the legitimate site. The original phishing email could also provide clues as to its authenticity. If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing. A more advance user may want to review the headers of an email, tracing the path to determine if it was spoofed to look as if it is coming from another location.”