A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a bit.ly address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.
Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4:
We are seeing the criminals becoming more and more brazen in their attacks and methods. The key is to dupe someone to click on a phishing link, once that has happened then the criminal can ask for whatever they wish.
This is not uncommon as we have seen this evolution in ransomware. Whereas previously ransomware only encrypted files now criminal look to steal data and logins and as much information as possible.
Similarly, we could be seeing the emergence of a trend where phishing attacks will look to gather more and more information.
It is why organisations need to ensure staff receive effective and timely security awareness and training so that they can spot phishing emails and report them appropriately.