Faked PayPal email notifications directing recipients to malicious websites aren’t new. But cybercriminals are getting a lot better at executing them.
That’s what the discovery of a current phishing campaign designed to lure victims to click to a pair of very well-designed faked PayPal websites shows.
The finding comes from researchers at OpenDNS, a free, advertising-sponsored service for making faster, more secure website connections.
The fraudulent PayPal websites are virtually indistinguishable from the real PayPal.com, down to the images used on the login screen, the color palette, and the HTML code used in the page’s layout, the researchers found.
The faked sites were registered through Web host Wix.com and designed using Wix’s extensive site building tools, resulting in a professional and realistic looking site. “An untrained observer might not notice and actually follow through with entering credentials,” OpenDNS researchers wrote.
Even the domain names were selected to confuse victims. The phishers used site names like “redirectly-paypal.com” and “security-paypal-center.com.” One forged domain, “x-paypal.com,” was a “perfect clone of the legitimate PayPal.com site,” the researchers said.
Phishing refers to how attackers lure victims into handing over sensitive information such as usernames, passwords and financial information. For the most part, phishing attacks begin with an email that appears to be from a legitimate source, whether it’s a person or a business, asking for specific pieces of information. This latest phishing campaign began with fake emails masquerading as official communications from PayPal.com.
If the recipient falls for the trick and clicks on a link in the email, the victim is directed to a website—which for all intents and purposes looks legitimate—to enter the information. The Anti-Phishing Working Group, a global consortium of companies and agencies, counted 128,378 phishing sites in the second quarter of 2014. This is the second highest number of phishing sites detected in a quarter, topped only by the 164,032 phishing sites active in the first quarter of 2012.
While the majority of phishing attacks are not personalized and are sent to as many potential victims as possible, targeted phishing—also known as spear phishing—also occurs. In those cases, the attacker uses information about the recipient to create an even more convincing lure.
A well-crafted targeted phishing attack can defeat even the best security controls if an attacker is able to collect highly privileged login credentials.
There are some indicators to look out for to avoid being phished, but they require careful scrutiny and a high level of alertness. The original phishing email may have some clues—such as the fact that it outright asks for the user password. Users can verify that the site is using HTTPS and a legitimate SSL Certificate. All the spoofed sites OpenDNS observed happen to use HTTP, which is not a likely situation for any site that engages in financial transactions.
“If the wording is off or it’s blatantly asking for you to enter your password somewhere, it could be phishing,” OpenDNS said.
These attacks are not new, but they are beginning to look more legitimate with every iteration. Website builders and hosts such as Wix.com make it trivial to create a professional-looking website in a very short period of time. While that is great for users interested in setting up their own sites, it is also tremendously beneficial for attackers who need to spin up sites quickly and frequently.
“The difficulty of identifying the validity of these websites visually will soon be untenable,” OpenDNS said.
This article originally appeared in ThirdCertainty.com and was written by Byron Acohido.