Proofpoint recently dissected a tricky PayPal phish. What’s interesting about this phish is that it was made by a phishing kit that allows scammers to steal lots of information easily—and scammers don’t have to be tech-savvy to use a kit to steal your personal information.

Like many phish, this one starts with an email and a malicious link; in this case, the link leads to a fake PayPal login page. A victim who enters their account credentials would then be taken to a page that explains that PayPal doesn’t recognize their device and needs to verify their account.

First, the victim is asked to enter their credit card information. Then the next pages tell the victim to link their bank account by surrendering both their routing information and their bank login credentials!

To “confirm” their identity, the victim can add the information from their driver’s license or even upload a document (presumably a picture or scan of their license). Proofpoint found that this screen could be skipped, but substantial damage would still be done even without ID information.

The victim is then redirected to the real PayPal site.

A few interesting things about this kit:

  • It verified information, like the PayPal email address and the credit card numbers, as the user entered them. A lot of older phishing pages didn’t do that; in fact, some people used to enter fake information on suspicious pages to test for a phish.
  • The kit provided a UI for the scammer, organizing the tools they could use to steal information. Proofpoint even found a “selfie” page that would allow the scammer to control a victim’s webcam!
  • The pages made with the kit supported multiple languages to snare users from many different countries.

Kits like this may be on the rise, bringing phishing to an even wider audience of scammers. Think B4 U Click and read about our “Take a BITE out of phish!” campaign to learn how to avoid phish like this one.