Hackers combine ransomware and PayPal phishing to acquire personal data

by Olivia Morelli - - 2019-01-21

The in-development ransomware uses PayPay phishing page to make users enter their credit card details

Ransomware uses PayPal Phishing Ransomware attempt to steal personal details, including banking information, with the help of ransomware attack

MalwareHunterTeam discovered^[1] a new type of ransomware that tries to redirect users to a spoofed PayPal page in order to acquire their credit card credentials and personal information. The malware, called CryTekk, is not too sophisticated, and, according to researchers, can be decrypted. However, the phishing part is something no other ransomware authors tried before and adds an extra threat vector to the campaign.

Ransomware is one of the most devastating cybersecurity threats, as the encrypted files remain inaccessible even after malware's removal is performed. Victims are asked to pay a certain amount of money, usually in Bitcoin or another crypto, to regain access to personal files like videos, music, pictures, documents, etc.

While cybersecurity experts usually advise not to pay the ransom, some users might find it as the only solution if the encrypted files are invaluable. Additionally, businesses suffer from significant losses due to ransomware attacks, such as WannaCry, which wreaked havoc all over the world back in 2017.^[2]

Ransom note offers two payment methods – Bitcoin transaction or PayPal payment

Ransomware can be distributed in many different ways, including spam emails, malicious websites, fake updates, exploits, and many users get infected without realizing the dangers. The ransom note that is dropped on the victim's computer explains what happened to personal files and provides contact details and sometimes payment instructions.

In CryTekk's case, ransomware authors offer users two different payment methods – using Bitcoin wallet or PayPal:

YOUR FILES HAVE BEEN ENCRYPTED!
Dear victim:
Files have been encrypted! and Your computer has been limited!
To unlock your PC you must pay with one of the payment methods provided, we regularly check your activity of your screen and to see if you have paid. Paypal automatically sends us a notification once you've paid. But if it dosen't unlock your PC upon payment contact us
(CryTekk@protonmail.com)

Reference Number: CT-[redacted]
When you pay via BTC, send us an email following your REF Number if your PC dosen't unencrypt. Once you pay, Your PC will be decrypted. However if you don't within 14 days we will continue to infect your PC and extract all your data and use it.
Google 'how to buy/pay with bitcoin' if you don't know how. To pay by bitcoin: send $40 to your unique bitcoin address b>[redacted]
PayPal
Buy Now

While the message is written in broken English, entering the PayPal “payment method” brings users to quite decently-looking phishing page of PayPal. Users are not asked to log in, but they land to payment screen immediately. Once filled in, victims are then asked for more personal information, including name, date of birth, address, phone number, and other details. After clicking Agree, users are then led to the message that claims a successful account restoration.

When looked at closely, the signs of phishing are immediate: according to crooks, PayPal is somehow communicating with them, and also limiting their official PayPal account (because they are backing the hackers?). Reputable organizations like PayPal do not collaborate with any type of malware authors and would not limit somebody's account because of that.

Additionally, the entry-level English gives out many signs of deception. Those who choose to pay $40 in Bitcoin can avoid the personal data disclosure. Nevertheless, users should not pay the ransom and decrypt files for free instead.

PayPal being targeted by scams is not a new phenomenon

PayPal is the largest online payment system in the world and used by many organizations, as well as regular users (as of 2018, the company held 254 million users worldwide). It is not surprising that crooks want to make use of such popularity, and often target people and companies with scam emails, obfuscated login pages, and similar.

Additionally, crooks use PayPal not only to harvest personal details of users but also infect them with malware.^[3] For example, a sophisticated banking trojan can steal money from the PayPal account and transfer it directly to cybercrooks without any warning.^[4]

This new campaign which combines ransomware and PayPal phishing proves that cybercriminals are always looking for new ways how to infect users and extract everything they can – money and personal data, which can be later sold on the Dark Web, resulting in such data compilations like Collection #1 – a databases consisting of 773 million records.^[5]

About the author

Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

^ MalwareHunterTeam. Something new. Twitter. Social network platform.
^ Alex Hern and Samuel Gibbs. What is WannaCry ransomware and why is it attacking global computers?. The Guardian. News, sport and opinion from the Guardian's global edition.
^ Julie Splinters. PayPal virus. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ Lukas Stefanko. Android Trojan steals money from PayPal accounts even with 2FA on. ESET. WeLiveSecurity blog.
^ Matt Burgess. Collection #1 is the world's biggest data dump. Check your passwords. Wired. Magazine that focuses on how emerging technologies affect culture, the economy, and politics.