Threat actors abuse hacked WordPress sites in a newly discovered campaign, wherein they added PayPal phishing kits into the compromised sites to steal massive databases of personal data from victims, such as their government ID documents and photos.
Since the phishing actors host their campaign on legitimate WordPress sites, they could bypass some security detection that allowed them to perform seamlessly.
From the observation of this new campaign, the hackers plant the PayPal phishing kits on a WordPress site’s honeypot plugin. These hackers often target sites with poor security, allowing them to brute-force their way inside. Once hacked, the hackers install a file management plugin to help upload the malicious phishing kit.
The phishing kits use an IP address cross-referencing technique to evade detection.
The cross-referencing technique involves the hackers addressing an IP address to the domains of specific targeted organisations and companies. This technique would allow them to bypass security detection, especially since they often use some cybersecurity companies’ IP addresses.
As PayPal is one of the most utilised payment platforms worldwide, the hackers leverage this to design the hacked WordPress site as a professional-looking and legitimate PayPal platform to lure their victims effectively.
Another aspect that the researchers found in the campaign is how the threat actors have used ‘htaccess’ to rewrite the URL of the fraudulent site, which makes it have a cleaner link that could add more sense of legitimacy.
The beginning of the data theft process initialises from a fake CAPTCHA verification. Then, the site would show a login page for the victim to enter their credentials, such as email address and password, which would be sent to the hackers’ servers for collection.
Since email addresses and passwords would not suffice for the hackers, they would conduct a fake “unusual activity” issue requiring the victims to enter more sensitive information for “verification.” This process includes the victim providing their banking data, physical address, and social security number, among others. The victims would also be required to upload their identification documents, such as their passport, driver’s license, and more.
This massive sensitive data gathered by the hackers would be used for other fraudulent activities, such as imitating the victim’s identity to conduct more malicious intentions against other victims. Even today, people are still prone to be victimised by phishing sites despite numerous warnings about being extra cautious against cybercriminals.
Nonetheless, experts still advise people to be warier of suspicious emails sent by unknown sources, always observe a site’s domain name, and be watchful about those requesting too much sensitive information.
