Hacked WordPress sites are being boosted with PayPal phishing kit

News
By
published

PayPal users are being scammed for every last ounce of personal data

PayPal Super App
(Image credit: PayPal)

Researchers at Akamai have discovered a new and sophisticated phishing scam targeting over 400 million potential PayPal customers.

Akamai staff found out about the scam after finding it embedded inside their own WordPress site, and countless other genuine WordPress sites are thought to have been hacked, too.

Most at risk are poorly secured websites with easy-to-guess passwords and no additional authentication or verification set up. 

PayPal scams

The scam begins with a CAPTCHA popup, helping it to lie mostly undetected. Users proceed to log into their PayPal accounts, before confirming payment details including their address, mother’s maiden name and social security number.

Users are then implied a false sense of security as the scam enables them to link their email address to the account, but all this does is give the scammers access to individuals’ mailboxes.

Identity theft scamming

The final step in supposedly securing the PayPal account is to upload an identification document - including passports, driving licenses, and national identification cards - which could go on to serve a whole number of potentially illegal purposes.

Read more

> We've looked at the best WordPress hosting providers

> That PayPal alert email could just be a phishing scheme

> Thousands of WordPress sites force updated to fix dangerous security flaw 

In its a release, Akamai said: “Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes.”

The page layout mimics closely what users will already be accustomed with by piggybacking off PayPal’s color palette and design interface. Furthermore, it seems that htaccess was used to rewrite the URL, thus eliminating the PHP file extension, helping to present a less suspicious web address.

In general, Internet users are advised either to verify that the URL matches the company’s own address or to re-access the page from a search engine, in order to make sure that they are not part of a scam.

Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!