New PayPal phishing scam seeks to go beyond login credential information

February 11, 2020  |  Karoline Gore

picture of a black android phone

Photo by Kon Karampelas on Unsplash

An independent guest blogger wrote this blog.

Up until now, some of PayPal users’ greatest fears in terms of cybersecurity were phishing scams aimed at obtaining their login credentials. In January of this year, PayPal confirmed a high-severity bug affecting the login form, with PayPal security investigator, Alex Birsan, finding a javascript file with what looked like a CSRF token and a session ID – which makes login information vulnerable to attackers. However, another scam is set to take this vulnerability further, by aiming not only to elicit login details, but also personal information and payment card/bank account details. 

Going a step further

The new scam, discovered by researchers at ESET, sends PayPal users an email stating that their account has experienced ‘unusual activity.’ The email then requests that the users take specific steps to protect their security. Once users click onto the page, they are directed to a phishing page on which they are asked to provide various details and verify their account by providing data such as their home address and banking details. Once they have provided the requested data, they are informed that their account is now secure/restored.  

Signs of scamming

The scam highlights the importance of knowing basic cybersecurity protocol. This includes being immediately suspicious of any email that leads users to a different URL, and wary of any changes – including misspelled words and odd-looking padlocks. One trend that was prevalent this year involved the use of a fake security certificate and a green padlock. Users should be aware of this and other new tricks by staying up-to-date on new cybersecurity risks, and by being vigilant of suspicious requests for information, addresses, links, and changes in page appearance. 

A new PayPal threat from 16Shop phishing gang

If you are aware of current phishing threats, then the name 16Shop Phishing Gang will not be new to you. This gang, whose operators are believed to be located in Southeast Asia, is specifically targeting PayPal, according to researchers at the Zero FOX Alpha Team. The group distributes a phishing kit which aims to obtain as much information as possible from PayPal users. The kit works by sending a POST request to a C2 server, with a password, domain and path. The information illicitly taken is then sent via SMTP to the inbox of the controller. The information can then be used to build phishing pages in a number of different languages – including English and Spanish. 

Astounding discoveries

The researchers managed to view traffic between the phishing kit and the command and control server. They found that the system was so easy to negotiate that even amateurs could use it without a hitch. They added that the kit was slick and sophisticated, with features such as updating of data in real time. They also found that the kit makers use various anti-bot and anti-indexing features, so as to block automated crawlers used by cybersecurity companies. Thus, the kit allows users to evade detection in many cases. 


Recent phishing scams have been targeting PayPal – one of the world’s most widely used payment sites. Scammers aim not only to obtain login details, but also credit card details – which has the potential to cause much larger losses. Users need to be aware of emails such as those reporting suspicious activity. Security teams, too, need to find innovative ways to detect anti-indexing and other features that can allow phishing scammers free reign on the internet. Finally, companies relying on PayPal for payment methods need to find ways to protect their customers and their own accounts, making an effort to boost employee awareness and security.

Share this with others

Get price Free trial