PayPal credential phishing with an even bigger hook

January 17, 2020 by Tyler Schultz

Credential phishing is a tried-and-true method for malicious actors to gain access to unsuspecting victims’ accounts. Scammers first create a sense of urgency with a phishing email to trick victims into clicking a link that takes them to a spoofed login page. If the victim fails to recognize the red flags of the malicious page and enters their login credentials, the deed is done. The scammer has the login information they need to access the account to make changes or uncover sensitive information, financial records and more.

However, with the increased adoption of multi-factor authentication, login credentials alone may not be enough for scammers to gain the access or information they’re after. Plus, if you don’t recognize the signs of a spoofed login page, there’s a good chance you won’t see the red flags when the page requests even more information. For these reasons, credential phishing is evolving into something even more dangerous.

Is your organization susceptible to phishing attacks? Find out today with a free Phishing Risk Test!

Run Free Test

The emergence of multistep data entry attacks

Scammers are taking their phishing techniques to the next level by spoofing sophisticated account verification and recovery processes. These go beyond credential phishing to harvest billing addresses, social security numbers, account recovery information and even credit card numbers.

In a recent phishing attack, scammers built a multistep PayPal account verification process disguised as a security feature. The attack starts with a phishing email notifying the victim of unusual activity and the need to confirm their identity.

PayPal phishing attack

Image courtesy of welivesecurity

The victim is then taken to a spoofed PayPal login page that perfectly mimics PayPal’s legitimate login process. If a victim enters their credentials, the scammer attempts to gain access to the account. Even worse, if the victim continues through the account verification steps, the scammer can steal additional information without ever logging in to the account, tripping security alerts or getting stopped by multi-factor authentication.

After the spoofed login process, the victim is asked to verify their billing address, credit or debit card number and other information such as their mother’s maiden name. In this attack, the scammer steals as much information as the victim shares, whether they complete the entire spoofed account verification process or leave the page before completing each step.

PayPal phishing attack

Image courtesy of welivesecurity

If the victim completes the entire spoofed account verification process, they are shown a message congratulating them for restoring their account before being redirected to the legitimate PayPal website.

PayPal phishing attack

Image courtesy of welivesecurity

This allows the scammer to cover their tracks and avoid tipping the victim off to the attack.

Are multistep data entry attacks the new norm?

New multistep data entry attacks are discovered nearly every week. A common Netflix credential phishing attack that has been circulating for years was recently spotted with a new addition. Instead of capturing login credentials alone, this attack also asks for the victim’s billing address, social security number and birthday.

Netflix phishing attack

Image courtesy of mailguard

And like spoofed login pages, additional form steps are often designed with fake security indicators and company logos making it even harder for victims to detect the scam.

What does this mean for your organization?

While these examples target personal accounts, multistep data entry attacks are just as likely for employee logins and accounts used for your internal operations — and potentially more dangerous.

If you were to guess, how many employees at your organization re-use the same password for every account? This common security blunder could turn a single account breach into free access to your organization’s most sensitive data.

And with an entire portfolio of software solutions spread across your entire workforce (not to mention shadow IT), it’s more important than ever for each employee to learn the skills to recognize and avoid every step of this attack.

Train your employees & test their skills

Security awareness and training is vital for virtually every employee at organizations of every size. By learning basic security best practices and keeping cybersecurity top-of-mind, your employees and coworkers can avoid and report attacks that slip past your technical controls.

You can also pair training with simulated phishing campaigns that replicate the attacks your workforce is most likely to face to test their ability to avoid attacks. Security awareness and training platforms such as Infosec IQ even have pre-built phishing templates and spoofed login pages for the PayPal and Netflix attacks outlined above to help you prepare employees for new and emerging attacks.

Interested in seeing Infosec IQ in action? Request a demo today!

Demo Today
Posted: January 17, 2020
Tyler Schultz
View Profile

Tyler Schultz is a marketing professional with over seven years of experience delivering SaaS solutions to organizations of all sizes. As a product marketing manager at Infosec, he is dedicated to helping organizations build strong cybersecurity cultures and meet their security awareness goals. He helps the Infosec team push the boundaries of effective and engaging security awareness training with a focus on experiential learning, gamification, microlearning and in-the-moment training. Tyler is a UW-Madison and UW-Whitewater graduate and Certified Security Awareness Practitioner (CSAP).