PayPal-themed phishing kit allows complete identity theft

Sometimes phishers are just after your username and password, but other times they are after every scrap of sensitive information they can extract from you. To do that, they use tools like the phishing kit recently analyzed by Akamai researchers.

By misusing the PayPal logo and general design, the phishing kit leads users through a set of pages and forms aimed at collecting information that can later be used to steal the victims’ identity and perform money laundering, open cryptocurrency accounts, make fraudulent tax return claims, and much more.

How does the phishing look from the victim’s perspective?

The phishing kit / pages start with asking the potential victim to pass a security (CAPTCHA) challenge (that actually works):

Once victims pass that “hurdle”, they are asked to enter their PayPal account username (i.e., their email address) and password. After that, they are faced with a warning saying that PayPal has noticed some unusual activity on their account, and that they need to secure it, by sharing / uploading:

• Their credit card information (including CCV number), their name, date of birth, real-world address, phone number
• Their ATM PIN, Social Security number, their mother’s maiden name
• Their email login credentials
• A photo of a document issued by the government and a selfie “to confirm their identity”

Then, to finalize the deception and to give the victims a false sense of security, the kit shows one last image:

About the phishing kit

The attackers using the kit are targeting legitimate WordPress sites. They guess or brute-force the credentials for the WP admin account, and install a file management plugin so they can upload the phishing kit.

“One of the unique aspects of this phishing kit is its attempts to directly evade security companies by providing multiple different checks on the connecting IP address to ensure that it doesn’t match specific domains or originate from security organizations,” researchers Larry Cashdollar and Aline Eliovich shared.

The author of the kit has also used htaccess to rewrite the URLs, so that the phishing pages don’t have the telltale .php at the end.

To increase the credibility of the phishing pages, the kit maker exploits the fact that it has become normal for brands and companies nowadays to enforce different security measures.

“Looking at this kit from an outsider’s perspective, it may seem obvious that it isn’t legitimate. If you have been on PayPal’s site any time recently, you would know this isn’t a real page: PayPal links to both credit cards and banking information directly, allows a one-time password for login, and would never ask for your ATM PIN. However, the social engineering element here is what makes this kit successful,” the researchers concluded.