Researchers have discovered a new phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data, including government documents, photos, and even banking information — under the guise of security controls.
Akamai researchers said the attackers use a file management WordPress plug-in to deploy the phishing kit, which includes several checks on the connected IP addresses to evade detection of their known malicious domains. It also allows the threat actors to rewrite URLs without the .php at the end, making them look more like genuine addresses.
Once up and running, the scam PayPal site asks victims to jump through a series of apparent security measures — even a CAPTCHA challenge — when the threat actors are simply grabbing the information for data and identity theft.
“By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing ‘trust’ by utilizing ‘new security measures’ like proof of government identification, they are making the victim feel as if they are in a legitimate scenario,” the Akamai team explains in their new report on the PayPal phishing kit. “The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain.”