The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
Faked PayPal email notifications directing recipients to malicious websites aren’t new. But cybercriminals are getting a lot better at executing them.
That’s what the discovery of a current phishing campaign designed to lure victims to click to a pair of very well-designed faked PayPal websites shows.
The finding comes from researchers at OpenDNS, a free, ad-sponsored service for making faster, more secure website connections.
The fraudulent PayPal websites are virtually indistinguishable from the real PayPal.com, down to the images used on the login screen, the color palette, and the HTML code used in the page’s layout, the researchers found.
The faked sites were registered through a popular web hosting service and designed using the service’s extensive site-building tools, resulting in a professional and realistic-looking site. “An untrained observer might not notice and actually follow through with entering credentials,” OpenDNS researchers wrote.
Even the domain names were selected to confuse victims. The phishers used site names like “redirectly-paypal.com” and “security-paypal-center.com.” One forged domain, “x-paypal.com,” was a “perfect clone of the legitimate PayPal.com site,” the researchers said.
Phishing refers to how attackers lure victims into handing over sensitive information such as user names, passwords and financial information. For the most part, phishing attacks begin with an email that appears to be from a legitimate source, whether it’s a person or a business, asking for specific pieces of information. This latest phishing campaign began with fake emails masquerading as official communications from PayPal.com.
If the recipient falls for the trick and clicks on a link in the email, the victim is directed to a website — which looks legitimate — to enter the information. The Anti-Phishing Working Group, a global consortium of companies and agencies, counted 128,378 phishing sites in the second quarter of 2014. This is the second-highest number of phishing sites detected in a quarter, topped only by the 164,032 phishing sites active in the first quarter of 2012.
While the majority of phishing attacks are not personalized and are sent to as many potential victims as possible, targeted phishing — also known as spear-phishing — also occurs. In those cases, the attacker uses information about the recipient to create an even more convincing lure.
A well-crafted targeted phishing attack can defeat even the best security controls if an attacker is able to collect highly privileged login credentials.
There are some indicators to look out for to avoid being phished, but they require careful scrutiny and a high level of alertness. The original phishing email may have some clues — such as the fact that it outright asks for the user password. Users can verify that the site is using HTTPS and a legitimate SSL Certificate. All the spoofed sites OpenDNS observed happen to use HTTP, which is not a likely situation for any site that engages in financial transactions.
“If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing,” OpenDNS said.
These attacks are not new, but they are beginning to look more legitimate with every iteration. Website builders and hosts such as Wix.com make it simple to create a professional-looking website quickly. While that is great for users interested in setting up their own sites, it is also tremendously beneficial for attackers who need to conjure up sites quickly and frequently.
“The difficulty of identifying the validity of these websites visually will soon be untenable,” OpenDNS said.
Image: iStock
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams