Researchers at Akamai have discovered a new and sophisticated phishing scam targeting over 400 million potential PayPal customers.
Akamai staff found out about the scam after finding it embedded inside their own WordPress site, and countless other genuine WordPress sites are thought to have been hacked, too.
Most at risk are poorly secured websites with easy-to-guess passwords and no additional authentication or verification set up.
The scam begins with a CAPTCHA popup, helping it to lie mostly undetected. Users proceed to log into their PayPal accounts, before confirming payment details including their address, mother’s maiden name and social security number.
Users are then implied a false sense of security as the scam enables them to link their email address to the account, but all this does is give the scammers access to individuals’ mailboxes.
Identity theft scamming
The final step in supposedly securing the PayPal account is to upload an identification document – including passports, driving licenses, and national identification cards – which could go on to serve a whole number of potentially illegal purposes.
In its a release (opens in new tab), Akamai said: “Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes.”
The page layout mimics closely what users will already be accustomed with by piggybacking off PayPal’s color palette and design interface. Furthermore, it seems that htaccess was used to rewrite the URL, thus eliminating the PHP file extension, helping to present a less suspicious web address.
In general, Internet users are advised either to verify that the URL matches the company’s own address or to re-access the page from a search engine, in order to make sure that they are not part of a scam.