Identity thieves have found a new way to target and steal the identities of innocent victims through a trusted platform – PayPal, as reported by Akamai.
Voice phishing and misuse of information have been common for as long as the internet has existed. But did you know identity thefts are becoming equally common? This is quite alarming because a lot of fraud (money laundering, fake cryptocurrency accounts, etc.) can be committed by using someone else's identity and if it's done through the internet, there's little chance of accountability.
These malicious criminals have now developed a kit consisting of various pages that ask for personal information just like PayPal does. Since the design and logo are almost identical to that of the real app, there is little chance of not falling for the trap.
To give you a little more information about how the false PayPal works, we set out to test it for ourselves. You will first encounter a security challenge. A security challenge that works, and looks very similar to almost all other ones on authentic platforms.
Next, once the user has been 'confirmed', they are asked to enter their PayPal account information. Upon doing so, they are presented with a 'secure your account' warning, claiming that unusual activity has been spotted on their account. Since it is a platform concerning money, it is only natural that users comply immediately.
The personal information asked to 'secure' their accounts includes their credit card information, their ATM PIN, Social security number, name, date of birth, real address, and even their phone number. The faux setup even asks their mother's maiden name to make it look authentic. Email login credentials are also confirmed, along with a document that is issued by the government statement to submit a selfie as proof of identity.
When done with all of this, you will see a pop-up claiming that your identity has been confirmed and that your account is now secure.
The way this kit works is also almost fool-proof. Since it uses actual authentic WordPress sites to link itself to different users, one would hardly suspect it. The kit forces its way into WordPress sites by logging in through password-guessing or just forcing its way in.
The kit also cannot be identified by any security companies. The loophole here is that the kit has multiple checks on the connecting IP address. These are not identifiable by the security companies hence they cannot be discovered. As for URLs, the kit uses authentic URLs instead of the usual fake '.php' ones. This indicates that whoever is behind this has access and can generate real URLs.
But then how to know if you ever get attacked? Well, if you have been on PayPal for a long, you would know that it never asks for your ATM PIN. No platform would ever ask for your ATM PIN as a security measure. Furthermore, PayPal always asks for the password only once and never again. Lastly, the platform links credit card and bank details directly. Now that you know all this, it will lower your chances of getting phished.
Although we are at risk of getting phished too, we do have to appreciate the marvelous attempt here. Stay tuned to find out about any new upcoming phishing scams!
Read next: Vishing Scam Rates Are Getting Triple of Phishing Scams And Scammers are on the loose freely
by Arooj Ahmed via Digital Information World
No comments:
Post a Comment