Akamai investigations revealed that a threat actor is hacking WordPress sites to run a novel PayPal phishing scam.
One Sophisticated, new PayPal phishing scam recently discovered by Akamai security researchers. As part of this attack, hackers gain access to WordPress sites as a first step. Injected with a phishing kit, customers attempting to pay via PayPal end up on a fake page instead of the correct PayPal login site. A large amount of personal data has to be entered there, including official identification documents and photos. If successful, the attackers would be able to perform anything from identity theft to money laundering on behalf of the victims.
Violation of WordPress sites with weak login by brute force
Both numerous individuals and companies rely on PayPal as an online Payment solution on their WordPress sites. For the attack, hackers use a brute force attack on it. In other words, a method that tries to find out passwords or keys through automated, random testing until success occurs. Once compromised, the attackers install a file management plugin, which is then used to upload their phishing kit. This effectively turns the website into an information gathering tool.
Victims are suggested security
Customers who click on a If you want to pay via PayPal on such a website, you must first enter a Captcha. They are then asked to enter their login data, i.e. their e-mail address and password. However, the hackers are not satisfied with the information they have obtained so far. So the scam doesn’t end there.
In the next step, the hackers try to build trust. With an interspersed note, they draw attention to unusual activities. That’s why they ask users to pass certain additional security checks. This gives victims the feeling that they are in a legitimate scenario.
PayPal phishing kit leads to complete ID theft
Then the way is free for the scammers to shamelessly request personal data. As a result, customers are asked to provide their credit card information, social security numbers, full residential address, government-issued ID (such as passports and driver’s licenses), and even a photo of themselves. Under the pretext of account protection, the scammers then also demand that an external e-mail account be linked. In this way, the victim practically reveals his complete identity. The fraudsters would now also be able to open an account with the tapped data.
To avoid detection, the phishing kit is designed in such a way that it links the IP addresses of visitors with cross-references to specific domains to ensure they are not from cybersecurity companies.
PayPal hackers fell for Akamai’s Honeypot
In the blog post, Akamai’s security researchers reveal that they first noticed the phishing kit after it appeared on one of their WordPress honeypots. The researchers wanted to use their specially established honeypot to investigate hacking and other malicious activities.
In conclusion, Akamai’s security researchers state:
“Looking at this kit from an outsider’s perspective, it may seem obvious that it is not legitimate. If you’ve been to PayPal’s website lately, you know this isn’t a real site: PayPal links directly to both credit card and banking information, allows a one-time password to log in, and would never ask for your ATM PIN . However, the social engineering element makes this kit successful.
Nowadays, people judge brands and companies by their security measures. Not only is it common to verify your identity in a variety of ways, but it is also an expectation when logging into websites with highly sensitive information, such as Financial or healthcare companies.”
“As security measures progress, so do the attackers. As is the amount of personal information they can collect. With increased media and workplace safety coverage, people are more aware than ever, raising the stakes for criminals looking for some sort of reward.”