A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports.
The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a bit.ly address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.
The ongoing campaign showcases “the current ‘let’s take all that we can get’ mentality of the attackers quite well,” Jan Kopriva, with the Computer Security Incident Response team at information tech company ALEF NULA, said
in a Monday SANS ISC InfoSec Forum post. “Over the years, phishing authors seem to have learned that once they hook a phish, they should try to get all the information they can from them. This is the reason why many current campaigns don’t stop after getting the usual credit card information, but go further.”
