A newly observed phishing campaign targeting PayPal users employs checks to immediately verify whether the entered login credentials are legitimate or not, Proofpoint reveals.
Using email as the distribution method, attackers lured users to a well-crafted phishing page that appeared to be a legitimate PayPal login page, but was actually the first step in an elaborate scheme meant to trick users into revealing their banking and personal information. (The attack is different from a separate sophisticated phishing campaign targeting PayPal users detailed earlier this week.)
The phishing page, researchers say, returns a “vaguely worded error message” if the wrong credentials are entered, something that doesn’t usually happen with phishing landing pages, as they tend to accept any credentials that users enter. The newly observed page, however, verifies the entered credentials with PayPal before moving forth with the scheme.
To perform the check, the crooks were using a decommissioned service in PayPal, meant to allow one to purchase a gift card from a user. “If the queried email account does not exist, the login supplied to the phishing landing page is discarded, helping to ensure that the phisher gets a higher percentage of valid credentials. The code does not check the password, only that the email account exists on PayPal,” Proofpoint researchers note.
Usually, scammers verify the stolen credentials after they managed to acquire a larger number of potential logins, but the new approach eliminates the need to perform the validation at a later date. On top of that, researchers say, this specific approach can fool automated analysis tools.
Once a valid PayPal email address is used, the victim is presented with a reassuring welcome page, followed by a phishing page on which users are required to confirm the credit card information they have associated with their PayPal account. Because the phishing kit comes with support for multiple languages, it can appear legitimate to users in many locations.
The phishing kit was also designed to check the credit card number that the victim supplies, making sure it passes the Luhn algorithm, as well as to perform a lookup against the card number to retrieve additional information. After validating the credit card, the kit asks the victim to enter security information about their card.
Users are also asked to link their bank accounts to their PayPal account, and are offered a number of well-known retail banks to choose from. Stolen bank branding gives the phishing page a legitimate look. Next, the user is asked to enter login credentials for their bank, claiming that the information is not saved, which is, of course, fraud.
“The user is then prompted for routing information for the bank account. Finally, the phishing kit prompts the user for identity information such as a driver’s license number or other identifying document that can be uploaded directly to the phishing kit. If the victim clicks the ‘Don’t have your ID now?’ button, they simply skip this screen,” Proofpoint said.
After attempting to gather all of the aforementioned personal and financial information from the victims, the phishing kit then redirects them to the legitimate PayPal website. According to Proofpoint, in addition to using inventive phishing pages, the scheme uses an administrative backend similar to what remote access Trojans (RATs) usually employ.
Through this panel, attackers can view visitor information, the option to access stolen credentials, and a simple interface for the administrator to modify settings. There is even the option to enable a “selfie page” where Flash is used to interact with the victim’s webcam, most probably to allow the phisher to snap a photo of the victim for later use. The admin panel even features a page for Trojans, but the feature appears to be under development.
“As attackers continue to turn away from the use of exploits and other means of compromising victim PCs and stealing information via malware, they are developing increasingly sophisticated means of collecting credentials and other data directly through phishing schemes. The use of phishing kits like the one detailed here provides threat actors with ready access to turnkey templates and administrative backends that make harvesting data from unsuspecting victims all too easy,” Proofpoint says.
The phishing kit also illustrates the advanced state of “crimeware as a service” and how straightforward conducting phishing scams can be. The existence of an admin panel with the aforementioned options is quite rare among credential phishing kits at the moment, but similar panels were previously associated with APT activities. However, this type of admin panel is expected to become more common and, understandably, popular with phishing actors, Proofpoint concludes.