A New Text Message Scam Targets PayPal Users in the UK
Last week, we explained what smishing is and how it works. Today, we're going to see the attack in action, analyze it, and learn what we can do to avoid falling victim to it.
Casting the net
Reported by Tech.co, it would appear that the attack is targeting PayPal account owners in the UK. It's safe to say, however, that more or less the same scam could be aimed at users of any service in any corner of the globe. As you might imagine, it all starts with a text message that comes with a link.
At this point, we should probably point out that some people are all but immune to this attack. They still use feature phones that aren't connected to the Internet, and because of this, they can't follow the link in the SMS. For better or worse, however, very few people continue to use the mobile phones that have small screens and bring the "joy" of having to press the same button four times just so that you can type an "s."
Not only people with passionate hatred for modern technology can escape the trap. The more observant will also notice that the link in the SMS leads to pay-pail[.]com which isn't really the same as https://paypal.com – the URL you should be using when you're trying to log in to your PayPal account. Once again, however, few people are likely to spot the discrepancy and avoid falling victim.
This is what the message says:
"You sent a payment for 30.16 GBP to Lucy Parker. If you didn't authenticate this transaction check here"
Who is Lucy Parker and why is she getting a little over 30 of my hard-earned British pounds? This is the first thought that will likely cross your mind, and the threat of Ms. Parker receiving even more of your money will make you tap the link without thinking too much about the URL or, indeed, the awkward wording.
On the whole, it's far from the most sophisticated scheme we've ever seen, and sitting at home, you might be thinking that not a whole lot of users will fall for it. The fact of the matter is, however, that these types of attacks wouldn't exist if there weren't enough people taking the bait.
Collecting the information
Those that do fall for the scam are led to a login page that looks pretty much identical to the real thing. Put the two login forms side-by-side, and you'll probably see that the fake one has a few extra links, but you're unlikely to spot those if you're looking at your phone.
When you load paypal.com on a desktop computer, you'll notice that, along with the green padlock, you'll see "PayPal, Inc." in the address bar. This is because PayPal has bought an Extended Validation (or EV) certificate for its domain. Obviously, pay-pail[.]com can't have such a certificate as it's issued after extensive checks. This doesn't matter that much, though, because most mobile browsers don't display the owner of the EV certified domain anyway. Furthermore, pay-pail[.]com does have an SSL certificate meaning that the green padlock is present, and for most users, this is more than enough to convince them that everything is okay.
Tech.co followed the scam link and entered false credentials into the login form to see what would happen. As it turns out, the crooks want to steal quite a lot of information. After receiving the email address and password, the fake website asks you to verify your identity. To do so, you must provide:
- Your name
- Your home address
- Your mother's maiden name
- Your credit card number and expiry date
- Your Verified by Visa password
You can see how badly wrong things could turn out if you let your guard down because you're thinking that you're in the process of losing 30 GBP. This, curiously enough, is what people fail to understand sometimes.
Fraudulent transactions are reversible in most cases. If you give away your personal data to the crooks, however, a refund is not possible. That's why, make sure you take every link you see in your inbox with a pinch of salt, and if you have even a modicum of doubt, don't open anything and ask the appropriate people (from PayPal, your bank, or the concerned service provider) to review the message.