Devious PayPal Scams Target Users' Passwords and Credit Card Information
According to Vade Secure, PayPal is the second-most targeted brand by phishers. This shouldn't be very surprising. We're talking about the world's most recognizable online payment platform, and unauthorized access to a person's PayPal account could mean unauthorized access to a significant portion of their money. What is interesting is that in Q1 of 2019, Vade noticed a whopping 88% increase in the number of PayPal-related phishing URLs. It's way too early to say whether this trend will continue throughout the second quarter, but reports from different corners of the globe suggest that it might.
A few days ago, for example, Spanish media reported (link in Spanish) on a phishing scheme aimed at PayPal users, and apparently, the campaign is quite widespread. So much so, in fact, that the Spanish National Cybersecurity Institute issued a special warning (link in Spanish) about it.
At the same time, close to 11 thousand miles away in Australia, Aussie PayPal users are facing a similar threat. In this case, there's no official advisory from a specialized institution, but the fact that the emails made the news goes to show that plenty of users are targeted. The timing, you have to agree, is pretty close, but is this all a coincidence?
Are Spanish and Australian PayPal users targeted by the same phishing crew?
A few factors can make you think that the answer is yes. In both cases, the phishing emails are sent from addresses that don't belong to PayPal, and in both cases, the display name is "PayPal".
The subjects and the bodies of the messages vary from victim to victim, but it's fair to say that the scenario is more or less the same. The user's account has either been blocked already or is about to be blocked, and the reason for this is either unusual behavior or outdated information. As you might imagine, there's a helpful link which, the email says, will help the user resolve the problem. In reality, the links leads to fake PayPal login pages that harvest the victims' sensitive information. Both campaigns were after not just login credentials, but also credit card details, and the Spanish phishing page even requested a photo of the victim's ID card.
Some phishers are more sophisticated than others
The most obvious difference between the two emails is that the one targeting Australian users is in English, and the one aimed at Spanish citizens is in Spanish. This is logical enough, but if you look closely, you'll spot a few distinct differences which suggest that the two campaigns are not the work of a single group of cybercriminals.
We must say that the people responsible for the attack on Spanish users are quite a lot more competent. Although they too don't address the victim personally (typically, a telltale sign of a phishing attack), the way the email is formatted does suggest that it might be legitimate. There is additional fine print and links in the footer, and the main button that leads to the phishing form is consistent with the look and feel of PayPal's real website. The phishing form looks pretty convincing too, though the lack of HTTPS is something of a giveaway.
By contrast, the creators of the Australian phishing email didn't even use PayPal's real logo (the overlapping Ps are missing, and the font is different). The grammatical errors in the body of the message and the lack of any coherent structure that is typical of a corporate email communication clear all doubts.
Having said all that, we should point out that despite the mistakes the crooks made, some Australian users will still fall for the attack. Unfortunately, the fact that a phishing campaign is put together by a group of amateurs doesn't necessarily mean that it won't be successful. Regular users just don't exercise enough caution when they're checking their inboxes or reviewing their important accounts. They click links in emails and follow instructions without so much as checking who issued them. That's why phishing is so lucrative. That's why you should try to be better than the regular user.