High-End Phishing Kit Automates Attacks on PayPal Accounts

Security researchers from Proofpoint have come across a sophisticated phishing kit that automates the process of building and deploying high-end phishing pages, and which is extremely efficient at collecting login credentials and user details from PayPal users.

According to researchers, the phishing kit can be used to build multi-stage phishing pages that collect user information in different steps and then log the data in a backend. A walkthrough through all the different phishing steps is available in the gallery below.

Proofpoint researchers say the phishing kit is more than dumb HTML, as the attackers are validating data in real-time, as soon as the user submits it.

The phishing kit checks for valid PayPal email addresses, checks to see if the login credentials are real and if the credit card numbers are correct and satisfy the Luhn algorithm.

Most phishing pages don't bother with these checks. In fact, a common trick to detect phishing pages is to enter fake login credentials and see if the phishing page detects the error. This trick would be ineffective as the phishing kit would easily pick up that something was wrong.

Phishing kit comes with a backend panel

Furthermore, this phishing kit stands apart from similar products, as it's one of the rarer phishing tools that comes with a backend GUI.

Most of today's phishing tools log collected data to text files or a database but rarely bother with an admin panel interface.

"The presence of an admin panel like that described here is currently quite rare among credential phishing kits, although we have observed such panels associated with APT activities and 'white hat' phishing frameworks," Proofpoint researchers noted.

At a closer inspection of the phishing kit's backend (fifth screenshot), you can also see an option to enable a "selfie" page, which is something never-before-seen with phishing kits.

This selfie page uses Flash to connect to the user's webcam and allow the user to take a selfie. This photo of the victim's face can then be used by attackers to validate transactions or bypass biometrics systems.

With such high-end products at their disposal, crooks can become very efficient in targeting PayPal users, and possibly customers of other services.

During the past years, many security experts have recommended that users type the URL of the page they want to access in their browser, instead of clicking links they receive in emails and SMS messages. To this day, this remains one of the simplest ways to avoid falling victim to phishing attacks.