Phishers are targeting PayPal users not only for their login credentials but also for selfies of them holding their ID cards.
This scam campaign starts off like so many others. A user gets an attack email falsely warning them that PayPal has suspended their account "for security precaution."
"Our technical support and customer department has recently suspected activities in your account.
"Therefore we have decided to temporarly suspend your account until investigating your recent activiies. Such things can happen if you clicked a suspecious link on social media or gave your password to someone else
"We're always concerned about our customers security so please help us recover your account by following the link below.
The phishing email gives itself away by its spelling errors and strange grammatical usage. But it does get some things right.
For instance, the scam does incorporate PayPal's logo and list a valid (and publicly available, mind you) address for PayPal at 353 Sacramento Street in San Francisco, California.
Researchers at PhishMe report that the attack campaign is currently hosted on a website hellopc[dot]co[dot]nz, which an individual calling themselves "Mr.Dr3awe" claims to have been hacked. The phishing kit used in the campaign is buried in a subdirectory on the site. No doubt Mr.Dr3awe hid the kit in this fashion in an attempt to evade detection by anti-phishing vendors.
Clicking on the phishing email's "Let's Get Going" link sends the recipient to another website hosting a fake PayPal login page. If they sign in, a subsequent page asks them for their name, address, and credit card number.
For the purposes of gaining more control over the victim's identity, the fraudsters then ask for something more. PhishMe's Chase Sims explains:
"If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information? How about a selfie? The next page seeks to verify the identity with a photo of the victim holding up a form of ID and credit card next to their face."
Uploading a valid image and hitting the "Agree & Continue" button redirects the user to an official PayPal website. Meanwhile, someone named "najat zou" in "mansac, France" exfiltrates the data, at which point they can do whatever they want with it.
With that said, users should avoid clicking on links in suspicious emails, and they should never hand over their credit card information to someone they don't know. They should also protect their PayPal accounts with two-step verification (2SV).