PayPal Phishing Attack Demands Selfie With Photo ID

Researchers have uncovered an unusually sophisticated phishing attack that targets PayPal users and attempts to obtain a photo of the target holding a bank card and photo ID.

The scam arrives as online services continue to tighten security requirements to protect users’ accounts or to crack down on fraudulent activities – making the attack appear all the more authentic.

ID scam

Like other online financial services providers, PayPal does, under some circumstances, ask users for additional proofs of identity, such as a photo of themselves taken from a mobile device or a photo ID.

The phishing scam appears to exploit this fact to obtain identification materials that researchers believe may be intended to help them launder money.

Like other phishing scams, this one begins with an authentic-looking email bearing the PayPal logo and address. It informs users their account has been suspended and asks them to click on a link to start an identity verification procedure.

The email contains odd grammatical uses and spelling errors, but otherwise appears genuine, researchers said.

The phishing website to which the user is directed also appears unusually authentic, compared to those employed by off-the-shelf phishing kits, according to PhishMe, which discovered the scam.

Hacked website

It’s hosted on a New Zealand domain that bears a message claiming it has been hacked by an individual called “Mr.Dr3awe”, with the phishing site buried in a subdirectory in order to evade anti-phishing scans.

After asking for users’ account information, name, address, credit card details and the like, the site moves on to the unusual step of asking the target to submit a “selfie” – a photo of themselves from a mobile device – holding a photo ID and payment card.

“If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information?” wrote PhishMe’s Chase Sims in an advisory.

The photo is needed “presumably to create cryptocurrency accounts to launder money stolen from victims”, he wrote, noting that the phishing pages and their underlying code show an unusual level of professionalism.

Data exfiltration

The code “has input validations that most do not”, Sims wrote.

Following the photo upload the user is redirectected to the authentic PayPal site, potentially none the wiser that their identity information has been stolen, Sims said.

The data collected is sent to a Yandex email address tied to a Skype account under the name “Nazat Jou” of “Manzac, France”.

PhishMe recommended users to be wary of suspicious emails and not to follow links embedded in them.The company also provides simulation software that can be used to train individuals to spot and report such attacks.

Do you know all about security in 2017? Try our quiz!