PayPal users targeted in sophisticated new phishing campaign

Recent phishing scams targeted both Gmail and Yahoo, and now attackers have their sights set on PayPal with some very convincing bait. With fake websites and email campaigns that look real, it’s easy to be fooled, and potentially have your identity and money stolen by scammers. Here’s how it happens.

First, there’s an email with logos and verbiage that sounds great (that is, “look and sound authentic”). Notice, however, errors in grammar and syntax that suggest the author isn’t a native English speaker. That’s one of the clues.

phishing

When unsuspecting users click the Log In button, the victims-to-be aren’t taken to PayPal properties, but through a shortened link like this:

phishing

That, in turn, leads to a landing page here:

phishing

… where they are presented with a real-looking fake login screen that even has an SSL certificate to suggest it’s authentic. But don’t be fooled.

Notice the domain has nothing to do with PayPal sites, but rather are scam URLs. As with other campaigns, scammers typically use a myriad of dynamically generated domain names — sometimes slight variations on the real name — which is another clue that something isn’t right.

Once you enter your information, you are presented with another message with fake information appearing to corroborate the text of the email:

Screen Shot 2017-01-27 at 09.15.35

Here they present a sense of urgency along with more frightening scare to try to coerce you into giving the attackers more information. If you click “Continue”, you are taken another page asking for even more targeted information, which could aid the scammers in their attempts to steal your identity:

phishing

Notice they are even asking for your Social Security Number, which would only apply in the US, but then ask you what country you’re in. Also, they continue the sense of urgency stating you will be unable to interact with PayPal until you give them the information requested.

It’s easy to see how users could be fooled by such a campaign, but we hope this information can be used to raise awareness, should someone you know encounter campaigns like this in their inbox.

If you’re concerned about PayPal security, you should log directly into PayPal.com itself and update your security settings, and if you know someone who has fallen victim, the first step should be to change their PayPal password before more damage occurs.

Whether you’re a PayPal user or not, keep in mind that cybercriminals are spending more and more effort to make their phishing websites look exactly like the real vendors’. As has been heavily reported recently, Gmail users were recently hit with a sophisticated phishing scam that fooled even savvy users due to its ability to mimic a legitimate Gmail login prompt. We are likely to see more phishing campaigns targeting users of well-known sites.

How to protect yourself

First, do not click links or open attachments in unsolicited email—if email supposedly from e.g., PayPal, says you have a problem, open a new browser tab or window and log directly onto PayPal by typing in the web address.

Second, if you get such an alert while you are browsing, verify that the URL in the address bar looks as you would expect—if the alert appears to come from PayPal, be very suspicious if the address bar doesn’t start out http://www․paypal․com/ or https://www․paypal․com/. Instead, go directly to the website by typing in its address.

Third, since phishing becomes more of a problem when the same password is utilized across multiple sites and services, consider deploying two-factor authentication (2FA). By requiring a one-time password generated by a user’s smartphone as a second form of authentication, 2FA helps block unauthorized access. Our blog WeLiveSecurity covers what two-factor authentication is and why you need it here.

To learn more about social engineering techniques such as phishing and how to protect your business, download ESET’s tech brief, Social Engineering and Why It Happened to You.

Author , ESET

You might also be interested in:

  • Jaybo

    “What the problem’s?” You call that sophisticated?

    • Waqas

      For many it is sophisticated. Be thankful for free info.

    • Marc Lewis

      Considering that a great deal of folks have literacy levels below 3rd or 4th grade, it’s not at all surprising that they’d fall for something as blatantly wrong as this. Pathetic, I know, but it’s the uneducated country we live in. ;-(

  • Ron Angel

    Paypal always address you by your full registered name never dear customer or the like.

  • Meng

    I actually got something really similar today in my email, It’s almost the same form as in the post. I fill out the first step and clicked “Next”, I was going to fill out the second step but then I find out its a scam…..
    My question is do they still got my information on the first step? I really worried.

  • Timothy A MacDougall

    S.O.S. 911..S.O.S.!!!!! Hurry They Know I Have Reached Out and Made Contact with Possible HELP and Now They are All Moving out and Getting out Of town as Fast as They can!!!!! Hurry Hurry and Don’t let These LowLife Losers get Away!!!!!! They Have Ruined My Life!!!! Sincerely, Timothy Alan MacDougall
    To whom it may concern,
    My name is Joan Marchesano. I am the 72 year old mother of Timothy A. Mac Dougall. I need to tell you his story. He came to live with me back in 2007.

    IMG_0749.JPG
    OpenALERT !! CAUTION !!
    BEWARE !! BEWARE !!
    BE AWARE
    The Neighborhood ITT “(GEEKS)” and the Organized Crime Gangs have joined together along with an unsettling amount of Corrupt Rogue Law Enforcment Officers/Deputies as well as an untold number of Polluted Judges, Lawyers, and Doctors!
    I have Uncovered one of the oldest and Decades Long Multimillion dollar CyberCrime Identity Theft Scams that has been around since before the Internet/ Worldwide web!! And which I am also a Victim of unfortunatly and have been Robbed basically of everything and left Pennieless with Nothing, not even any contact nor Relationship with my two young Sons Aidan & Sean who were all I had Left in this Sick Corrupt World we Live in, Filled with nothing but Losers like them!!! The Neighbors Come into your house and Take apart all of your Electronic Devices and Solder a variety of different electronic components into the Motherboards and reconfigure the whole device enabling them to control and view everything from their Car, or Home miles away and this is how they Steal your Identity and Your Life!!!! Please Call The FBI in Washington and Don’t Bother wasting time on trying to contact the Local Authorities They are the ones allowing the Suspects to break into your home and are part of the whole Multi Million $$ Corrupt Cyber Crime Identity Theft Scandal That has been going on for Decades way before Smartphones and even the internet(The world wide Web)!!!!!! This Is No Joke just look at the Picture attachment. https://drive.google. com/file/d/1tCMFvM6uOAE8VXeHKwNdpzvPfnuLyvg2uA/view?usp=sharing_eil&invite=CPHxnpMN&ts=58b82b0e A T T E N T I O N
    IF YOU SEE SOMETHING OR KNOW SOMETHING
    REACHOUT & SAY SOMETHING

    MY NAME IS TIMOTHY ALAN MACDOUGALL . I RESIDE AT 9715 VINE ST. BLOOMINGTON, CA.92316….. AND I AM A VICTIM OF CYBER CRIME AND IDENTITY THEFT / FRAUD AS WELL AS DOMESTIC TERRORISM AND GANG STALKING BY MY NIEGHBORS AS WELL AS THE CORRUPT LOCAL COUNTY SHERIFFS DEPUTIES AND CITY POLCE WHO ARE INVOLVED IN THE MULTI MILLION DOLLAR SCAM..!!

    MY LIFE IS IN GREAT DANGER AND I NEED THE FBI’S IN WASHINGTON’S HELP IMMEDIATELY REGAURDING THIS GRAVE MATTER…!!!

    I HAVE HAD SEVERAL ATTEMPS BY SAID PREDITORS TO TRY AND MAKE ME VANISH AND SILENCE ME BY SETTING ME UP WITH DRUGS PLANTED IN MY AUTOMOBILE AS WELL AS MY RESIDENCE…AND HAVE BEEN FALSLEY IMPRISONED IN COUNTY JAILS & INSTATUTIONS ALL IN HOPES OF DISCRETING ME AND MY CHARACTER “(DEFAMATION OF)” TO KEEP ANYONE FROM HELPING ME AT THIS VERY SCARY/ FRIGHTING TIME IN MY LIFE…!!!!
    I’M IN GREAT NEED OF THE FBI, IRS, AND SOCIAL SECURITY’S HELP AT THIS TIME. AGAIN MY LIFE IS IN GREAT DANGER AND THERE IS MUCH TO EXPLAINE ABOUT THEIR SADISTIC DIOBOLICAL SCAM/ PLOT… AND ITS ALL BECAUSE OF MY HIEGHTEN AWARNESS AND THAT I HAVE FIGURED OUT WHAT IS GOING ON AROUND HERE IN MY NIEGHBORHOOD AND THAT I AND MY 75 YEAR OLD MOTHER ARE ACTUALLY VICTIMS OF AND GOD ONLY KNOWS WHO ELSE HAS FALLEN PRAY..!!!!!
    SINCERELY…..
    TIMOTHY A MACDOUGALL The Neighbors Come into your house and Take apart all of your Electronic Devices and Solder a variety of different electronic components into the Motherboards and reconfigure the whole device enabling them to control and view everything from their Car, or Home miles away and this is how they Steal your Identity and Your Life!!!! Please Call The FBI in Washington and Don’t Bother wasting time on trying to contact the Local Authorities They are the ones allowing the Suspects to break into your home and are part of the whole Multi Million $$ Corrupt Cyber Crime Identity Theft Scandal That has been going on for Decades way before Smartphones and even the internet(The world wide Web)!!!!!! This Is No Joke just look at the Picture attachment. 911 S.O.S. need the FBI !!!!! Being Stalked By Rouge Corrupt Officers of the Law as well as the Local thug Mexican Street gangs who these Policemen are friends with and working for and my Life is in Danger!!!!!!!!!!!!! Timothy A MacDougall ……. P.S. oh yeah its all about Identity theft which of course they have stolen mine from me!!!!!!! Please call the FBI in Virginia ,,,, I don’t trust or wouldn’t TRUST anyone wearing a shield here in CALIFORNIA !!!!!!! No ***!!! Persons of Interest (aka) ” The Suspects”(1)Sammy Sancho his mother and brothers. (2) George Hacker from Bloomington and an ITT Cyber Securties Specialist for the Fontana police Department (3) Manny Hernandez of the SanBernardino County Sheriff’s Department (4)Jim Juarez (5) Jesus Guiterrez and his whole Family (6) Officer Patty from the Fontana PD (7) JC Computers on Bloomington Ave (8) Richard the owner of Radioshack on Foothill Blvd in Rialto (9) Dave From Riverside computers (10) Dr Berman & Dr Sonu From Health Point Clinic (11) Maggie Martinez from Barns Law in Texas (12) Alan Tysinger My attorney From Texas (13) Some Loser Punk Jail bird from down the block named “Nelson” as well as “Edward Kelly” who used to lived on the corner across the st. as well..(14) And many more!! That work for the Local Banks, “CHASE”& “BOA”. The Local Phone and Cable Networks “AT&T” “Time Warner” aka “Spectrum”. The Arrowhead Regional Medical Center. (“Ben”) in “Radiology”. And many others who have tried to befriend me in the hopes of disguising their True Preditor and Stalking Intentions of Stealing My Identity and Every Cent/ Possesion I had Owned Leaving me Pennieless.!!

    Content Quality

    Original URL: https://link.springer. com/contactus
    IP address: 76.219.72.35
    Logged in as:
    Recognised as:
    Browser user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
    =========================================================================

  • Jamie Dempsey

    The scam has morphed… now it is an email stating your payment to (in this case Fandango) has been approved, and because it has no transaction information, has links to look at the transaction on PayPal. Several of the misspells have been corrected, and yes, at first glance, I said “what the hell? I haven’t ordered from Fandango!” and popped the link “to my account”… as it took a few seconds to load, I noticed the urls at the bottom changing to redirects, and closed the box…hope it didn’t compromise anything!

Follow us

Copyright © 2018 ESET, All Rights Reserved.