PayPal users are the target of a phishing kit that tries to steal their personal information. Government identity documents and pictures are among the stolen details.
Phishing kit with a PayPal motif
After being positioned on a WordPress honeypot by attackers, the phishing kit was discovered by Akamai researchers. Attackers can circumvent detection by hosting the kit on legitimate WordPress websites that have been compromised.
Attackers use a list of widely-used credential pairs to brute-force logins on websites with weak security.
The phishing kit is uploaded to the compromised site using a file management plugin that was installed using the stolen access.
The kit uses cross-references between IP addresses and domains belonging to a certain group of businesses, such as cybersecurity organisations, to evade discovery.
The attackers subsequently request the victim to submit their official identification documents to prove their identity after gathering a significant quantity of personal information.
Despite the phishing kit’s seeming sophistication, the researchers discovered a flaw in the file upload function that may be exploited to upload a web shell and take control of the compromised website.
Concerning The Phishing Page
The creators of the phishing kit tried to imitate PayPal’s website in order to make the bogus page appear legitimate.
Additionally, for a genuine look, every component of the graphical user interface is fashioned in accordance with PayPal’s theme.
The URL has been rewritten by the attackers using ‘htaccess,’ so it does not terminate with a PHP file extension.
Phishing tools now successfully imitate PayPal while obtaining user data. Therefore, users ought to always check the domain name of a website asking for sensitive data. By manually entering the site address in the online browser, they should access the service’s official website.