SMILE – New PayPal Phish Has Victims Sending Them a Selfie

Phishing scams masquerading as PayPal are unfortunately commonplace. Most recently, the PhishMe Triage™ Managed Phishing Defense Center noticed a handful of campaigns using a new tactic for advanced PayPal credential phishing. The phishing website looks very authentic compared to off-the-shelf crimeware phishing kits, but also levels-up by asking for a photo of the victim holding their ID and credit card, presumably to create cryptocurrency accounts to launder money stolen from victims.

Let’s examine the components of this phishing scam:

The lure site is obviously hacked hxxps://hellopc[.]co[.]nz/ and the phishing kit is buried in a subdirectory presumably to thwart the anti-phishing vendors who crawl the internet in an attempt to identify phishing sites.  The website appears to have been compromised by “Mr.Dr3awe” of the Syrian Revolution Electronic Army.

Phishing email messages direct potential victims to hxxps://hellopc[.]co[.]nz/wp-includes/random_compat/error_polyfil.php which displays the following page prompting the victim to log in:

So far, a pretty standard PayPal credential phish, right? This is where things get interesting.  After the victim hands over their username and password, they are greeted with another official-looking PayPal-branded screen, asking for name, address, credit card number, etc.

But wait, it doesn’t stop there! If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information? How about a selfie? The next page seeks to verify the identity with a photo of the victim holding up a form of ID and credit card next to their face.

The threat actor incorporated an unusual level of detail in the webpages and the underlying code, a snippet of which is shown below. It has input validations that most do not.

After successfully uploading the ID, the victim is seamlessly redirected to the official PayPal website, none the wiser.

Diving deeper into this phishing kit reveals that all the stolen data is being exfiltrated to this email address: oxigene[.]007@yandex[.]com. That email address is tied to a Skype account for “najat zou” of “mansac, France” as seen in the Skype screenshot below.

Recommendation:

PhishMe® cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that pretend to be from PayPal asking to validate any information. You should always go to the service’s website directly and not follow any links received by email, especially when the email is asking to verify account or personal information.

PhishMe Simulator™ customers may consider launching simulations that follow this style of attack to further train their users to detect and report suspicious emails.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

PhishMe® Files Second Intellectual Property Enforcement Action Against Wombat Security Technologies, Inc.
TrickBot Featured in New Wave of Phishing Emails Signaling Renewed Use of this Botnet Malware

Leave a Reply