new-phishing-kit-hijacks-wordpress-sites-for-paypal-scam

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

New Phishing Kit Hijacks WordPress Sites for PayPal Scam

Researchers have discovered a new phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam to trick targets into handing over their most sensitive data, including government documents, photos, and even banking information — under the guise of security controls. 

Akamai researchers said the attackers use a file management WordPress plug-in to deploy the phishing kit, which includes several checks on the connected IP addresses to evade detection of their known malicious domains. It also allows the threat actors to rewrite URLs without the .php at the end, making them look more like genuine addresses. 

Once up and running, the scam PayPal site asks victims to jump through a series of apparent security measures — even a CAPTCHA challenge — when the threat actors are simply grabbing the information for data and identity theft. 

“By using captcha immediately, telling the victim that there has been unusual account activity, and reinforcing ‘trust’ by utilizing ‘new security measures’ like proof of government identification, they are making the victim feel as if they are in a legitimate scenario,” the Akamai team explains in their new report on the PayPal phishing kit. “The same methods that can ensure an identity is secure can ultimately lead to total identity theft — not just credit card numbers, but cryptocurrency accounts and anything else the threat actor wants to obtain.” 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related News

Hackers using USB drives to spread malware in ongoing attack

Hackers using USB drives to spread malware in ongoing attack

According to a recent post by the cybersecurity firm Mandiant, USB drives are being used to hack targets in Southeast…
AI-Powered Smart Glasses Give Deaf People the Power of Speech

AI-Powered Smart Glasses Give Deaf People the Power of Speech

In a recent example of innovative technology making a positive difference, there is now new artificial intelligence (AI) powered smart…
16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

16,000+ Scam Domains Aimed at FIFA World Cup Fans in Qatar

Seeing as scammers readily jump to capitalize on events with huge global interest, it comes as no surprise that Group-IB…