Watch out for the 'New Login From Unknown Device' PayPal Scam

PayPal New Login From Unknown Device Phishing Scam

In late December, researchers from ESET noticed that PayPal users in Latin America were targeted by a phishing campaign that could be going on to this very day. Unfortunately, it's difficult to say how big the attack is, and we don't know how many people have fallen victim to it. Regardless of the scale, however, this PayPal phishing scam is newsworthy for a couple of good reasons.

For one, the hackers that organized it used some clever social engineering tricks to try and maximize the number of victims. They knew that every single compromised PayPal account can potentially yield significant financial gains, but they were never going to settle just for the money. Here's how the whole scam unfolds.

An unusual login email alert

As you might imagine, the attack begins with an email, which, in this particular case, tries to convince you that an unauthorized person has accessed your PayPal account. To make the message sound more convincing, the hackers include the date of the supposed incident as well as details on the intruder's operating system and browser. The email also says that your account has been locked down and that you can regain access to it by following a link and "confirming your identity." Those of you with an active interest in cybersecurity probably know what's going to happen next.

They also know that this is hardly a groundbreaking tactic. Phishers often try to steal login credentials from users by persuading them that their accounts might have been hacked. This is because when they are presented with this particular scenario, people tend to panic, and in their haste, they often overlook some glaring mistakes that the criminals make.

If you do click through, you will be led to a fake PayPal page that is designed to look like the real thing. First, you need to complete a CAPTCHA challenge, and then you are asked for your PayPal login credentials.

It's not just about the username and password this time

In a typical phishing attack, once the victims give away their login credentials, they are either shown a fake error message prompting them to try again later, or they are simply redirected to their real accounts. In this case, things are a little bit different.

After the login data has been stolen, the fake website tells you that your PayPal account is still locked due to the alleged unauthorized access. To unlock it, you must verify your personal information. The first form asks you for your name, physical address, phone number, and date of birth. A second form requests your credit card details, and a third one prompts you to enter some information related to the bank account associated with your PayPal profile. Finally, you are asked to "link" your email account by providing the address and the password.

ESET's screenshots show that the hackers really did pull off all the stops to create a phishing page that looks legitimate. The logos, the colors, and the fonts are all more or less perfect, and the hackers have even gone through the trouble of installing an SSL certificate, which means that people who are taught to look for the green padlock in the address bar will see it and will assume that the page is completely safe. In other words, there are plenty of things that might fool you into thinking that you really are securing your PayPal account. Then again, there are quite a few other tell-tale signs that, if noticed, will show you that you are being scammed out of your personal data.

Spotting a few discrepancies is all that is needed to stay safe

The way some modern email clients display the messages in your inbox means that telling a malicious email from a legitimate one could be tricky. Nevertheless, if you're careful enough, you will still see some mistakes that can tip you off.

ESET's report doesn't say whether the phishers bothered to spoof the sender's email address, but even if it looks fine, you may see, for example, that the message contains no logos or other formatting features that are usually associated with this sort of communication. In addition to this, although we've seen far worse, the text contains a few grammatical mistakes – a common giveaway in phishing attacks.

Those who fail to notice the grammatical errors can still spot the domain hosting the phishing page. The hackers can easily put a green padlock in the address bar of your browser, but they can't change the actual address, which means that a simple glance at the URL will show you that you're not entering your information on the real PayPal website.

And even if you don't see that, you can still notice a few things that seem strange as well as a few others that seem downright wrong.

The CAPTCHA challenge at the beginning of the attack is an interesting addition, for example. On the one hand, its placement seems only logical considering the fact that someone has allegedly been trying to break into your account. Then again, a CAPTCHA challenge at this particular stage is unusual, which might make you think twice before moving on.

You are much more likely to realize that something's wrong when the phishing page asks you for your email password. PayPal should never have this sort of information, and it would never ask for it. We sincerely hope that when they see this particular request, many of you will instantly know that they are being scammed. Unfortunately, by that time, they will have already given away tons of personal information, which goes to show that the only real way of staying safe is to keep your eyes peeled at all times and to be careful with every single click.

January 2, 2020

Leave a Reply