PayPal Phishing Scams Gaining Sophistication

PayPal phishing schemes are fairly common these days. Many, or even most of them are generic in nature. In other words, they don’t target a specific person or group. They are merely crafted in such a way that they can be sent to a large number of people at one time as spam. However, sometimes they arrive as if they could actually be from PayPal and are specific or somehow related to the recipient. This is called spear-phishing, because the attacker has some information which he can spear his target specifically. This tactic is more likely to result in success for the phisher.

Spear-phishing campaigns are on the increase and the use of PayPal as the bait is increasing in sophistication with each new campaign. Cisco researchers have found several versions of imposter PayPal web sites that are so well done, they can trick even the most phishing-savvy person into falling for the scams behind them.

What is making it even more problematic is that these phony websites are actually legitimately registered, sometimes even with actual security certificates attached. Many, such as one of the primary ones used – redirectly-paypal.com– are registered through a site called Wix. A list of many of the other fake ones is listed here:

- helpcenter-paypal-rosolution[.]pepitoheyashi[.]ga
- paiiypal[.]com
- paypal-secure-account-information[.]reikitrainingjourney[.]com
- paypal[.]com[.]user[.]accounts[.]lwproductions[.]net
- paypalcomcgibinwebscrcmdloginsubmitdispatch58z8duft875dl80al[.]planetevents[.]co[.]in
- paypalupdate[.]uploadppl[.]com
- paypaluserupdateinfoforupaypalnowclosedbypaypal[.]bodybuildingexercise[.]org
- update[.]paypal[.]com[.]kgreendesigns[.]co[.]za
- www[.]paypal[.]com-webapps-cgi-bin-webscr-login-access[.]com
- x-paypal.com/us/webapps/home
- securitycheck-paypal.com

Unfortunately, the fake sites use the color schemes, text styles, and images from the actual PayPal site, making them nearly impossible to detect. Some have also registered with very popular and legitimate hosts, such as CyrusOne LLC, which also hosts CarFax and Dell. However, there are some ways to tell if one is trying to trick you:

- Check the website name in the address bar. It should be “paypal.com” and have the “https” in front, as well as the secured site text and lock icon. If you’re using the U.S. site, it may even display as “paypal.com/us/home” and the “us” may be changed to the country for the site you’re using. For the German site, the “us” in that URL is replaced with “de,” for example.

- Check for the little country flag in the lower corner of the site. As of time of writing, it’s in the lower right corner as you scroll down the site. If the site is in the U.S., that flag will be the U.S. flag.

- If you see anything prior to the “.com” other than the word “paypal,” or anything prior to the word “paypal,” it is likely fake. In other words, the only thing that should be between the dots is the word “paypal,” followed immediately by the “.com.”

- The green text, the lock, and the “https” are all positive, though not always definitive indicators of the legitimate site.

Some of these phishing sites actually try to get users to enter credentials other than the ones for PayPal. A common one attempts to spoof an Apple credential verification page. However, Apple and PayPal are not related, so an Apple login page should not show up.

Another site uses Spanish language but targets English speakers. If the text is in another language, those behind it are most definitely up to no good.

It’s likely more of these sites and those using other well-known companies will be popping up in the future. If you need to verify credentials or check something in your account for any online account, go directly to a bookmarked link or type in the address manually, being careful not to make typos. Then login there to do your sanity checks or to make changes. Don’t click on links in email messages to do this, even if you think they may be real. It’s just safer not to.

Stickley on Security
January 11, 2019