What's worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card

Just the latest in a long line of scams…

What's worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card

Phishers are targeting PayPal users not only for their login credentials but also for selfies of them holding their ID cards.

This scam campaign starts off like so many others. A user gets an attack email falsely warning them that PayPal has suspended their account "for security precaution."

"Hi there,

"Our technical support and customer department has recently suspected activities in your account.

"Therefore we have decided to temporarly suspend your account until investigating your recent activiies. Such things can happen if you clicked a suspecious link on social media or gave your password to someone else

"We're always concerned about our customers security so please help us recover your account by following the link below.

The phishing email gives itself away by its spelling errors and strange grammatical usage. But it does get some things right.

For instance, the scam does incorporate PayPal's logo and list a valid (and publicly available, mind you) address for PayPal at 353 Sacramento Street in San Francisco, California.

Researchers at PhishMe report that the attack campaign is currently hosted on a website hellopc[dot]co[dot]nz, which an individual calling themselves "Mr.Dr3awe" claims to have been hacked. The phishing kit used in the campaign is buried in a subdirectory on the site. No doubt Mr.Dr3awe hid the kit in this fashion in an attempt to evade detection by anti-phishing vendors.

Clicking on the phishing email's "Let's Get Going" link sends the recipient to another website hosting a fake PayPal login page. If they sign in, a subsequent page asks them for their name, address, and credit card number.

Paypal phishing 2

For the purposes of gaining more control over the victim's identity, the fraudsters then ask for something more. PhishMe's Chase Sims explains:

"If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information? How about a selfie? The next page seeks to verify the identity with a photo of the victim holding up a form of ID and credit card next to their face."

Selfie prompt

Uploading a valid image and hitting the "Agree & Continue" button redirects the user to an official PayPal website. Meanwhile, someone named "najat zou" in "mansac, France" exfiltrates the data, at which point they can do whatever they want with it.

This isn't the first PayPal phishing campaign, and it certainly won't be the last.

With that said, users should avoid clicking on links in suspicious emails, and they should never hand over their credit card information to someone they don't know. They should also protect their PayPal accounts with two-step verification (2SV).

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , ,

5 Responses

  1. ✔ Checco

    June 19, 2017 at 1:37 pm #

    Has anyone tried to find the model who posed for the correct/incorrect shots and follow the trail back from there?

  2. SlipperyJim

    June 20, 2017 at 1:13 pm #

    Thanks to Graham's advice I set up 2SV on my PayPal and other accounts ages ago. Even if I change browser on the same PC I have to use the keycode sent to my mobile.
    I also use LastPass, which recognises real the website urls and doesn't even try to load my login details to the wrong site!

  3. Nigel

    June 20, 2017 at 3:59 pm #

    Perhaps this particular phishing campaign is part of a larger program to identify Darwin Award candidates.

  4. Michael Ponzani

    June 20, 2017 at 4:13 pm #

    The syntax and spelling errors are there to weed out the intelligent people. I caught the syntax right away. I had tore-read it for the spelling. Also, "Hi there," is a giveaway since they do not know whom they are specifically addressing.

    • Chris in reply to Michael Ponzani.

      June 23, 2017 at 11:17 am #

      I can understand that if the phisher is trying to harvest victims for one-to-one conversations for personal scamming, so as to avoid wasting their time on hopeless prospects. The approach in the article seems to be fully automated so I can't see the advantage in intentionally weeding out anyone here. Maybe it's just that English is not the scammers' first language.

Leave a Reply