paypal PayPal Phishing Site Asks Victims to Submit a Selfie Holding Their ID Card

[Stanners]

A PayPal phishing campaign is luring victims to a hacked site where a clone of the PayPal login page is trying to trick users into giving away their PayPal credentials, payment card details, and ... a selfie of the user holding his ID card.

Brought to Bleeping Computer's attention by security researchers from PhishMe, the crook behind this operation relies on spam emails to drive users toward a PayPal phishing page hosted on a compromised WordPress site from New Zealand.

At the time of writing, the phishing page had been removed, but following a classic pattern for phishing sites, users arriving on this page were asked to log in with their PayPal credentials.

There was no attempt to spoof the browser URL, so if users had any kind of experience with phishing pages, they would have immediately noticed they were on a page with the wrong address.

Greedy crook wants more data

Once users entered their logins, the crook wasn't satisfied. At this point, it was obvious he's dealing with an inattentive or untrained user, so this phisher decides to go all-in and ask for more data. During a four-step process, the attack asks for the user's address, payment card data, and a picture of the user holding his ID card.

It is unclear why the crook would ask for this information. PhishMe expert Chris Sims believes it is "to create cryptocurrency accounts to launder money stolen from victims."

A similar tactic was seen last year

This tactic of asking a user for a selfie while holding his ID card has been seen before. In October 2016, McAfee discovered a variant of the Acecard Android banking trojan that was also asking users to take a selfie holding their ID card when logging into their mobile banking accounts.

The tactic was quite innovative at the time, and it got a lot of press coverage. It may be plausible that the author of this phishing scam might have come across it and decided to adapt it for his phishing operation.

The way the "selfie upload" procedure has been implemented is also curious. Instead of relying on WebRTC or Flash to access the user's webcam to take a photo and save it automatically in the form, the crook asks users to upload a photo from their computer. This means more hassle, as the user has to take a selfie, transfer it to the PC, and then upload it on the crook's page. Prolonging the attack this way gives the user more time to notice something wrong with the fake PayPal site.

In addition, there's a second issue. Phishing sites usually don't feature form validation rules, taking whatever users enter in the forms. This phisher broke out of this mold and wrote special form validation rules to make sure the user is uploading the photo in JPEG, JPG, or PNG format.

The crook also made mistakes. The user's photo isn't saved to a server under the crook's control, but sent to an email address at "oxigene[.]007@yandex[.]com."

Sims says he searched for this address in the Skype user directory and found it registered to a person named "najat zou," from "mansac, France." While this information is not reliable to determine the user's nationality or location, it provides researchers with a first clue they can use to track down the phisher if law enforcement decides to investigate this case further.

 

Original Post

 

[netman]

PayPal provided:
• You will address your customers by calling them by your first and last name or the company name registered in your PayPal account.

PayPal never:
• You will send an email to: "Hidden recipients" or more than one email address.
• You will be asked to download a form or file to resolve a problem.
• You will be asked by email to verify an account using personal information such as name, date of birth, driver's license
Or address.
• You will be asked by e-mail to verify an account using information from your bank account such as your bank name, identification number or PIN number of your account.
• You will be asked by email to verify an account using your credit card information such as number or type of credit card, expiration date, ATM PIN or CVV2 security code.
• You will be asked for your full credit card number without showing the type of card and the last two digits of the card.
• You will be asked for your bank account's complete number without showing your bank name, account type and the last two digits of your account.
• You will be asked for the answers to the security questions without showing each security question that you indicated.
• You will be asked to send an item, send a Western Union wire transfer, or provide a tracking number before the payment received is available in your account history.

The safest way to confirm the validity of an email related to changes in your PayPal account is by logging into your account, where you can verify the activity of the email that informs you. DO NOT USE THE LINKAGES RECEIVED IN THE EMAIL
TO CONNECT TO THE PAYPAL SITE. Instead, type www.paypal.com in your browser to connect to your account.

What is Phishing Email?

You may have received a fraudulent email by impersonating PayPal or another known entity. These fake emails are also known as "phishing emails" and try to obtain personal information. The goal is to trick you into directing you to a fraudulent website (spoof) or to call a phony customer service number where they can get your personal and financial information.

We will carefully verify the email you sent us to confirm that the content is legitimate. We will contact you if we need additional information to investigate this matter. Please note the security advice we have given you as it can help answer any questions you may have regarding the email you have received.

Help! I have responded to a fake email!

If you have responded to a false email and provided personal information, or if you believe someone has used your account without permission, you should immediately change your password and security questions.

You should also immediately notify PayPal and we will do everything in our power to protect you.
1. Open the browser and type www.paypal.com.
2. Log in to your PayPal account.
3. Click "Security Center" at the top of the page.
4. Click "Report a problem."
5. Click on "Unauthorized use of your account".

Thank you for your cooperation.

Every email is important. Forwarding suspicious-looking emails to [email protected] contributes to your security and that of other users against identity theft.

 

[Karlston]

That sort of scam lends itself to poisoning, the sending of fake images and supplying fake data.

 

A bit like the gazillion automated fake pharmacy orders I (and others who used my "FormFiller" Firefox addons) used to lodge at the Viagra/Cialis/Loan scammer sites in the noughties.