Analysis of the latest PayPal phishing attacks

-


As far as brands that get impersonated a lot, PayPal has got to be in the Top 5 or Top 3 globally. Between August and October, I personally received 19 PayPal credential phishing page links and my crud email provider (not Gmail or Outlook) didn't block them, so they've been landing in my inbox. So I took a look at them, natch. I examined various phishing attempts that appear to be sent in a similar manner to my personal email, which has only appeared in one small breach in 2017, according to Have I Been Pwned for the record.

One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I'd not personally seen before (but I doubt is that new) was that it asked me to "Upload your identity".


 



The amount of personal data this phishing kit is harvesting from any victims that fall for it is quite substantial. For starters, using the email and password could be used to hijack the account; the billing address and card number would be used for fraudulent payments; the the account details for a bank account could potentially be used to transfer account contents; the passports, national ID or driver's license could also be used for identity theft. For one phishing attack, that's quite a lot, in my opinion.

Interestingly, this PayPal phishing email leverages an Open Redirect in WhatsApp shortened URL:


Try it yourself, you can add any URL after the "https://l.wl.co/l?u=" part of the link - even a PayPal phishing page:


Might want to fix that, WhatsApp 

Indicators of Compromise (IOCs):

Sender Email:
ckul31gcijzl9ev-ql3keowlfcjlnliy[@]emaildl.att-mail[.]com

Redirect URL:
hxxps://l[.]wl[.]co/l?u=hxxps://qr[.]paps[.]jp/XvICB?userid=LIYnPBFM

Phishing pages:
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/unusual?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/account?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/card?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/link_card?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/link_email?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/bank?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/identity?key=<redacted>

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more