What’s worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card

Just the latest in a long line of scams…

David bisson
David Bisson
@
@DMBisson

What's worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card

Phishers are targeting PayPal users not only for their login credentials but also for selfies of them holding their ID cards.

This scam campaign starts off like so many others. A user gets an attack email falsely warning them that PayPal has suspended their account “for security precaution.”

“Hi there,

“Our technical support and customer department has recently suspected activities in your account.

“Therefore we have decided to temporarly suspend your account until investigating your recent activiies. Such things can happen if you clicked a suspecious link on social media or gave your password to someone else

“We’re always concerned about our customers security so please help us recover your account by following the link below.

The phishing email gives itself away by its spelling errors and strange grammatical usage. But it does get some things right.

For instance, the scam does incorporate PayPal’s logo and list a valid (and publicly available, mind you) address for PayPal at 353 Sacramento Street in San Francisco, California.

Researchers at PhishMe report that the attack campaign is currently hosted on a website hellopc[dot]co[dot]nz, which an individual calling themselves “Mr.Dr3awe” claims to have been hacked. The phishing kit used in the campaign is buried in a subdirectory on the site. No doubt Mr.Dr3awe hid the kit in this fashion in an attempt to evade detection by anti-phishing vendors.

Sign up to our free newsletter.
Security news, advice, and tips.

Clicking on the phishing email’s “Let’s Get Going” link sends the recipient to another website hosting a fake PayPal login page. If they sign in, a subsequent page asks them for their name, address, and credit card number.

Paypal phishing 2

For the purposes of gaining more control over the victim’s identity, the fraudsters then ask for something more. PhishMe’s Chase Sims explains:

“If the victim is willing to hand over their phone and credit card numbers, could they possibly be willing to provide even more personal information? How about a selfie? The next page seeks to verify the identity with a photo of the victim holding up a form of ID and credit card next to their face.”

Selfie prompt

Uploading a valid image and hitting the “Agree & Continue” button redirects the user to an official PayPal website. Meanwhile, someone named “najat zou” in “mansac, France” exfiltrates the data, at which point they can do whatever they want with it.

This isn’t the first PayPal phishing campaign, and it certainly won’t be the last.

With that said, users should avoid clicking on links in suspicious emails, and they should never hand over their credit card information to someone they don’t know. They should also protect their PayPal accounts with two-step verification (2SV).


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

7 comments on “What’s worse than getting phished? Getting phished *and* sending a selfie of your Photo ID and credit card”

  1. ✔ Checco

    Has anyone tried to find the model who posed for the correct/incorrect shots and follow the trail back from there?

  2. SlipperyJim

    Thanks to Graham's advice I set up 2SV on my PayPal and other accounts ages ago. Even if I change browser on the same PC I have to use the keycode sent to my mobile.
    I also use LastPass, which recognises real the website urls and doesn't even try to load my login details to the wrong site!

  3. Nigel

    Perhaps this particular phishing campaign is part of a larger program to identify Darwin Award candidates.

    1. coyote · in reply to Nigel

      Actually that's very unfair. It's true that like spammers they feel it's profitable to target as many as possible (well – it depends on their ultimate target and goal) but there are some people who are more vulnerable. The elderly is an example. And really anyone who is ignorant or unaware of how these things work is also at risk. This has absolutely nothing to do with doing anything stupid and certainly nothing to do with doing something stupid resulting in death. Ignorance is not at all the same thing as stupidity and we also all make mistakes.

      Of course maybe your comment is not meant to be serious but just in case… It's hard to tell because many people do actually equate these types of things to stupidity and also say the people deserve it. No. Nobody deserves to be cheated or attacked.

  4. Michael Ponzani

    The syntax and spelling errors are there to weed out the intelligent people. I caught the syntax right away. I had tore-read it for the spelling. Also, "Hi there," is a giveaway since they do not know whom they are specifically addressing.

    1. Chris · in reply to Michael Ponzani

      I can understand that if the phisher is trying to harvest victims for one-to-one conversations for personal scamming, so as to avoid wasting their time on hopeless prospects. The approach in the article seems to be fully automated so I can't see the advantage in intentionally weeding out anyone here. Maybe it's just that English is not the scammers' first language.

  5. coyote

    Yes, including a missing full stop. Also are the quotes part of the email itself? It seems odd to me that PayPal or any organisation would include that as if they're quoting those who made the decision (or maybe more likely the computer made the decision) rather than just telling the person. And since it's not referencing a person as in quoting them it seems clear to me that if that is verbatim that's another suspect thing. Hardly surprising.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.