Paypal phishing site asks for a selfie as it steals your information

Scammers ask victims to take photo of themselves holding ID and credit card to “verify the identity”

PayPal users were always the primary targets for cybercriminals. Recently, experts from Phish.me spotted^[1] yet another phishing scam campaign that aims at inexperienced PayPal users. This time scammers decided to use a new technique – they ask victims to provide a selfie of themselves holding both identity and credit cards. Such audacious demand comes right after the victim types in required personal information into a phishing website accessed via a deceptive URL provided in fraudulent emails.

Firstly, scammers spam victims with phishing emails^[2] stating that user’s account was temporarily suspended. According to the letter, the user has to recover the account by following the link provided in the message. After clicking the “Let’s get going” button, the victim visits a phishing website that is believed to be hacked a while ago.

The phishing website is reportedly compromised by a member of Syrian Electronic Army

The scammer who compromised the site uses Mr.Dr3awe nickname and is suspected to be a member of the Syrian Electronic Army^[3]. The group of hackers is known to be using spamming, malware, phishing, DDoS attacks, website defacement and other illegal techniques and tools to attack their targets.

The scam site then suggests logging into a PayPal account. Then victims are taken to “Verify your account” page that suggests updating billing address as well as card information. The phishing page requires users:

• Legal full name;
• Address;
• Cardholder’s name;
• Card number;
• Expiration date;
• CSC.

After entering all of those details, the victim has to click Agree & Proceed which takes him or her to a page that asks to take a selfie of oneself holding credit card and identicy card. There are even correct and incorrect example of the photo provided. It is believed that scammers need such photo to launch cryptocurrency accounts and use them to launder money stolen from victims.

Once the victim provides all of the information to scammers, the phishing site automatically redirects him/her to official PayPal site, making the victim believe that the account was successfully recovered.

In the meantime, all collected data gets transferred to the victim via email. Apparently, the criminal uses oxigene.007@yandex.com email address that is connected to a Skype account of someone named Najat Zou who claims to be from Mansac, France.

Same strategy used by Acecard Android banking Trojan

The strategy of asking the user to provide a selfie to “verify the identity” has been used in October 2016 by an Android banking Trojan dubbed Acecard^[4] The malicious virus acts silently and monitors what apps the user launches. It specifically looks for apps that allow making online payments. Once the victim attempts open one of them, the Trojan displays a deceptive overlay that demands credit card information and three pictures: one of victim’s identity document’s front side, then the back side, and finally a photo of the victim himself holding the ID card.

Scammers can use collected data to steal victim’s identity, empty one’s bank accounts, log into social media networks and scam one’s friends. Therefore, we suggest you double check sender’s email address whenever you receive a letter from someone who asks for your private information. Remember that a few logos of legitimate companies is not a sign of trustworthiness and you shouldn’t click on links or attachments included in such emails.