New PayPal Phishing Kit Hijacks WordPress Sites
Attackers Utilize Fake Security Checks to Obtain Victims’ PII.
Researchers have uncovered a new phishing kit that, under the guise of security controls, injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data. This data includes government documents, photos, and even financial information.
Researchers from Akamai said that the attackers install the phishing kit by using a file management WordPress plug-in. The phishing kit contains multiple checks on the connected IP addresses in order to avoid detection of the known malicious domains that they are using. Additionally, it enables the threat actors to rewrite URLs without the.php extension at the end, which makes them seem more authentic than they really are.
There have been several innovations in the way phishing looks and feels to make them seem more legitimate than the classic Nigerian Prince scam. We found an example of this during an early morning examination of a WordPress honeypot: a PayPal scam site revealed a file in .zip format. The file — named paypal_crax_original.zip when uncompressed — contains more than 150 files ranging from PHP source code to font files.
Beyond the typical credit card information or credential harvesting you would see on these false login pages, this one aims at total identity theft — served up by the victims themselves. In this blog post, we will examine this incident from soup to nuts: how it lands in the honeypot, how it evades detection, and most important, how it accumulates personal information.
First, the sample arrived on our honeypot by guessing or brute-forcing the administrative WordPress credentials we set up. The kit uses a list of common credential/password pairings found on the internet to log in. Our honeypot is a simple WordPress setup to deliberately allow compromise either by vulnerable plugin exploitation or weak administrative login credentials. This is how the actor “parasites” other WordPress sites and uses them as a host: obtaining credentials and then installing a file management plugin that they used to upload the phishing kit. We can see those steps in the logs below (Figures 1 and 2).
How Are the Attackers Stealing the Data?
When attempting to steal information for the purposes of data and identity theft, threat actors pose as PayPal site administrators and require victims to complete a number of tasks that give the appearance of being security measures. These tasks include solving a CAPTCHA challenge.
Even if the threat actor has amassed a tremendous quantity of personally identifiable information, their work is not yet done. They then proceed to the following stage, which is to request that the victim submit their formal forms of identification so that they may verify their identity.
A driver’s license, a passport, or a national ID card are the forms of identification that may be uploaded, and the method for doing so comes with detailed instructions, just as PayPal or any genuine firm would want from its customers.
As BleepingComputer explains, all of this information could be put to use by cybercriminals for a wide variety of unlawful purposes, including but not limited to anything having to do with identity theft, money laundering, and maintaining anonymity when purchasing services, as well as taking over banking accounts or cloning payment cards.
How Can Heimdal™ Help You?
HeimdalTM Security has developed two email security software aimed against both simple and sophisticated email threats (Heimdal™ Email Security, which detects and blocks malware, spam emails, malicious URLs, and phishing attacks and Heimdal™ Email Fraud Prevention, a revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.
For example, you may want to consider HeimdalTM Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware.