PayPal is undoubtedly among the top brands most frequently impersonated worldwide. Between August and October alone, I personally received 19 phishing emails containing PayPal credential-stealing links. My email provider (which is not Gmail or Outlook) failed to block these messages, and they ended up in my inbox. Naturally, I took a closer look at them. Upon review, I noticed several phishing attempts that appeared to be sent in a manner similar to my personal email, which, for the record, has only been involved in one minor breach back in 2017, as confirmed by Have I Been Pwned.
One phishing kit stood out and forced my hand into blogging about it. It consisted of 11 parts, including the phishing email itself and the initial landing page; followed by several pages to harvest credit card and billing information, bank account details, and finally the bit that I’d not personally seen before (but I doubt is that new) was that it asked me to “Upload your identity”.
The amount of personal data this phishing kit is harvesting from any victims that fall for it is quite substantial. For starters, using the email and password could be used to hijack the account; the billing address and card number would be used for fraudulent payments; the the account details for a bank account could potentially be used to transfer account contents; the passports, national ID or driver’s license could also be used for identity theft. For one phishing attack, that’s quite a lot, in my opinion.
Interestingly, this PayPal phishing email leverages an Open Redirect in WhatsApp shortened URL:
Try it yourself, you can add any URL after the “https://l.wl.co/l?u=” part of the link – even a PayPal phishing page:
https://l.wl.co/l?u=https://cwe.mitre.org/data/definitions/601.html
Might want to fix that, WhatsApp
Indicators of Compromise (IOCs):
Sender Email:
ckul31gcijzl9ev-ql3keowlfcjlnliy[@]emaildl.att-mail[.]com
Redirect URL:
hxxps://l[.]wl[.]co/l?u=hxxps://qr[.]paps[.]jp/XvICB?userid=LIYnPBFM
Phishing pages:
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/unusual?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/account?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/card?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/link_card?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/link_email?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/bank?key=<redacted>
hxxps://teamputugamingalwayson[.]chickenkiller[.]com/security/alert/file/myaccount/identity?key=<redacted>
