Attackers Utilize Fake Security Checks to Obtain Victims’ PII.
Last updated on July 15, 2022
Researchers have uncovered a new phishing kit that, under the guise of security controls, injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data. This data includes government documents, photos, and even financial information.
Researchers from Akamai said that the attackers install the phishing kit by using a file management WordPress plug-in. The phishing kit contains multiple checks on the connected IP addresses in order to avoid detection of the known malicious domains that they are using. Additionally, it enables the threat actors to rewrite URLs without the.php extension at the end, which makes them seem more authentic than they really are.
There have been several innovations in the way phishing looks and feels to make them seem more legitimate than the classic Nigerian Prince scam. We found an example of this during an early morning examination of a WordPress honeypot: a PayPal scam site revealed a file in .zip format. The file — named paypal_crax_original.zip when uncompressed — contains more than 150 files ranging from PHP source code to font files.
Beyond the typical credit card information or credential harvesting you would see on these false login pages, this one aims at total identity theft — served up by the victims themselves. In this blog post, we will examine this incident from soup to nuts: how it lands in the honeypot, how it evades detection, and most important, how it accumulates personal information.
First, the sample arrived on our honeypot by guessing or brute-forcing the administrative WordPress credentials we set up. The kit uses a list of common credential/password pairings found on the internet to log in. Our honeypot is a simple WordPress setup to deliberately allow compromise either by vulnerable plugin exploitation or weak administrative login credentials. This is how the actor “parasites” other WordPress sites and uses them as a host: obtaining credentials and then installing a file management plugin that they used to upload the phishing kit. We can see those steps in the logs below (Figures 1 and 2).
When attempting to steal information for the purposes of data and identity theft, threat actors pose as PayPal site administrators and require victims to complete a number of tasks that give the appearance of being security measures. These tasks include solving a CAPTCHA challenge.
Even if the threat actor has amassed a tremendous quantity of personally identifiable information, their work is not yet done. They then proceed to the following stage, which is to request that the victim submit their formal forms of identification so that they may verify their identity.
A driver’s license, a passport, or a national ID card are the forms of identification that may be uploaded, and the method for doing so comes with detailed instructions, just as PayPal or any genuine firm would want from its customers.
As BleepingComputer explains, all of this information could be put to use by cybercriminals for a wide variety of unlawful purposes, including but not limited to anything having to do with identity theft, money laundering, and maintaining anonymity when purchasing services, as well as taking over banking accounts or cloning payment cards.
For example, you may want to consider HeimdalTM Security’s Heimdal™ Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware.
If you enjoyed this article, you can drop a comment below and let us know how you feel about it. Don’t forget to follow us on LinkedIn, Twitter, Facebook, Youtube, or Instagram to keep up to date with everything we post!
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.