Faked PayPal email notifications directing recipients to malicious websites aren’t new. But cybercriminals are getting a lot better at executing them.
That’s what the discovery of a current phishing campaign designed to lure victims to click to a pair of very well-designed faked PayPal websites shows.
The finding comes from researchers at OpenDNS, a free, ad-sponsored service for making faster, more secure website connections.
The fraudulent PayPal websites are virtually indistinguishable from the real PayPal.com, down to the images used on the login screen, the color palette, and the HTML code used in the page’s layout, the researchers found.
The faked sites were registered through a popular web hosting service and designed using the service’s extensive site-building tools, resulting in a professional and realistic-looking site. “An untrained observer might not notice and actually follow through with entering credentials,” OpenDNS researchers wrote.
More Believable Domain Names
Even the domain names were selected to confuse victims. The phishers used site names like “redirectly-paypal.com” and “security-paypal-center.com.” One forged domain, “x-paypal.com,” was a “perfect clone of the legitimate PayPal.com site,” the researchers said.
Phishing refers to how attackers lure victims into handing over sensitive information such as user names, passwords and financial information. For the most part, phishing attacks begin with an email that appears to be from a legitimate source, whether it’s a person or a business, asking for specific pieces of information. This latest phishing campaign began with fake emails masquerading as official communications from PayPal.com.
If the recipient falls for the trick and clicks on a link in the email, the victim is directed to a website — which looks legitimate — to enter the information. The Anti-Phishing Working Group, a global consortium of companies and agencies, counted 128,378 phishing sites in the second quarter of 2014. This is the second-highest number of phishing sites detected in a quarter, topped only by the 164,032 phishing sites active in the first quarter of 2012.
While the majority of phishing attacks are not personalized and are sent to as many potential victims as possible, targeted phishing — also known as spear-phishing — also occurs. In those cases, the attacker uses information about the recipient to create an even more convincing lure.
A well-crafted targeted phishing attack can defeat even the best security controls if an attacker is able to collect highly privileged login credentials.
There are some indicators to look out for to avoid being phished, but they require careful scrutiny and a high level of alertness. The original phishing email may have some clues — such as the fact that it outright asks for the user password. Users can verify that the site is using HTTPS and a legitimate SSL Certificate. All the spoofed sites OpenDNS observed happen to use HTTP, which is not a likely situation for any site that engages in financial transactions.
“If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing,” OpenDNS said.
These attacks are not new, but they are beginning to look more legitimate with every iteration. Website builders and hosts such as Wix.com make it simple to create a professional-looking website quickly. While that is great for users interested in setting up their own sites, it is also tremendously beneficial for attackers who need to conjure up sites quickly and frequently.
“The difficulty of identifying the validity of these websites visually will soon be untenable,” OpenDNS said.
More on Identity Theft:
- Identity Theft: What You Need to Know
- 3 Dumb Things You Can Do With Email
- How Can You Tell If Your Identity Has Been Stolen?