A phishing kit has been spotted targeting PayPal users, attempting to steal personal information from the victims. The stolen details include government identification documents and photos.

PayPal-themed phishing kit

Researchers from Akamai spotted the phishing kit after attackers had planted it on a WordPress honeypot. The kit is hosted on valid yet hacked WordPress websites, allowing attackers to avoid detection.
  • The attackers aim for poorly secured websites and brute-force their login using a list of common credential pairs.
  • This stolen access is used to install a file management plugin to upload the phishing kit to the breached site.
  • To avoid detection, the kit cross-references IP addresses to domains of a specific set of firms, such as cybersecurity companies.
  • After collecting a large amount of personal information, the attackers further ask the victim to upload their official identification documents to validate their identity.

Although the phishing kit seems sophisticated, the researchers spotted a vulnerability in the file upload feature, which can be abused to upload a web shell and control the hacked website.

About the phishing page

The phishing kit operators attempted to make the fraudulent page look legit and mimicked PayPal’s site.
  • Further, all graphical interface elements are styled on the basis of PayPal's theme for an authentic appearance
  • The attackers have used ‘htaccess’ to rewrite the URL, so it does not end with an extension of the PHP file.

Concluding notes

Phishing kits are now successfully mimicking PayPal and stealing personal information. Thus, users should always check the domain name of a page requesting sensitive information. They should visit the official page of the service by manually typing the site address on the web browser.
Cyware Publisher