Akamai researchers have uncovered a sophisticated new phishing scam targeting more than 400 million potential PayPal customers.
Akamai staff discovered the scam after finding it embedded in their own WordPress site, and many other original WordPress sites were reportedly hacked as well.
Poorly protected websites with easy-to-guess passwords and no additional authentication or verification setup are most at risk.
PayPal scams
The scam starts with a CAPTCHA popup, which helps it go undetected most of the time. Users log into their PayPal accounts before confirming payment details, including their address, mother's maiden name, and social security number.
Users then get a false sense of security because the scam allows them to link their email address to the account, but this only gives criminals access to people's mailboxes.
Identity theft scam
The final step to supposedly secure the PayPal account is to upload an identification document, including passports, driving licenses, and national identification cards, which could be used for a host of potentially illegal purposes.
In its statement (opens in a new tab), Akamai said: "Downloading government documents and taking a selfie to verify them is a bigger ballgame for a victim than simply losing credit card information - it could be used to create trading cryptocurrency accounts under the victim's name, which could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes.
The design closely mimics what users will already be used to relying on in PayPal's color palette and interface design. Also, it appears that htaccess was used to rewrite the URL, removing the PHP file extension, which helps present a less suspicious web address.
In general, Internet users are advised to verify that the URL corresponds to the company's own address or to re-access the page from a search engine to ensure that they are not part of a scam.