Categories: Security

PayPal Phishing Attack Demands Selfie With Photo ID

Researchers have uncovered an unusually sophisticated phishing attack that targets PayPal users and attempts to obtain a photo of the target holding a bank card and photo ID.

The scam arrives as online services continue to tighten security requirements to protect users’ accounts or to crack down on fraudulent activities – making the attack appear all the more authentic.

ID scam

Like other online financial services providers, PayPal does, under some circumstances, ask users for additional proofs of identity, such as a photo of themselves taken from a mobile device or a photo ID.

The phishing scam appears to exploit this fact to obtain identification materials that researchers believe may be intended to help them launder money.

The scam asks users to submit a photo of themselves holding photo ID and a credit card

Like other phishing scams, this one begins with an authentic-looking email bearing the PayPal logo and address. It informs users their account has been suspended and asks them to click on a link to start an identity verification procedure.

The email contains odd grammatical uses and spelling errors, but otherwise appears genuine, researchers said.

The phishing website to which the user is directed also appears unusually authentic, compared to those employed by off-the-shelf phishing kits, according to PhishMe, which discovered the scam.

Hacked website

It’s hosted on a New Zealand domain that bears a message claiming it has been hacked by an individual called “Mr.Dr3awe”, with the phishing site buried in a subdirectory in order to evade anti-phishing scans.

After asking for users’ account information, name, address, credit card details and the like, the site moves on to the unusual step of asking the target to submit a “selfie” – a photo of themselves from a mobile device – holding a photo ID and payment card.

“If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information?” wrote PhishMe’s Chase Sims in an advisory.

The photo is needed “presumably to create cryptocurrency accounts to launder money stolen from victims”, he wrote, noting that the phishing pages and their underlying code show an unusual level of professionalism.

Data exfiltration

The code “has input validations that most do not”, Sims wrote.

Following the photo upload the user is redirectected to the authentic PayPal site, potentially none the wiser that their identity information has been stolen, Sims said.

The data collected is sent to a Yandex email address tied to a Skype account under the name “Nazat Jou” of “Manzac, France”.

PhishMe recommended users to be wary of suspicious emails and not to follow links embedded in them.The company also provides simulation software that can be used to train individuals to spot and report such attacks.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

13 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

14 hours ago