New research from Akamai has found that a new threat actor is parasitising benign WordPress sites to execute an extensive PayPal phishing scam.
According to the Akamai blog, the scam injects a discreet phishing kit into existing, non-malicious WordPress sites as a way of maintaining evasion. It then gains extensive access to a victim's identity and information by mimicking new security practices.
Common bogus prompts require users to submit government documents and photographs, in addition to their banking information and email passwords. This can lead to substantial identity theft issues and further extensive loss of financial and data security. The scam also attempts to gain trust by claiming there is unusual activity, tricking users into going through with the security checkpoints.
A unique aspect of the phishing kit is that it attempts to directly evade security companies by providing multiple different checks on the connecting IP address to ensure that it doesn't match specific domains or originate from security organisations.
The threat actor behind the site uses a file management plugin to upload the phishing kit, allowing for further exploitation of the WordPress site.
They use htaccess to rewrite the URLs to not have .php at the end of the URL. This gives the phishing page a more polished and professional look.
This new scam is only a small part of a significantly wider problem. Identity theft has so far affected 42 million people in 2021, with total losses equalling USD$52 billion and this new threat being one of many currently circulating.
“People judge brands and companies on their security measures these days. Not only is it commonplace to verify your identity in a multitude of ways, but it's also an expectation when logging in to sites with ultrasensitive information, such as financial or healthcare companies,” states the blog.
“By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing “trust” by utilising “new security measures” like proof of government identification, they are making the victim feel as if they are in a legitimate scenario. The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain.
Akamai recommends that users continue to be aware of scams and threats relating to breached security as the landscape continues to evolve. They say that phishing honeypots are becoming increasingly more common and are a much better way for threat actors to deceive vulnerable users than typical email phishing scams.
“There have been several innovations in the way phishing looks and feels to make them seem more legitimate than the classic Nigerian Prince scam,” the blog states.