A PayPal phishing campaign is luring victims to a hacked site where a clone of the PayPal login page is trying to trick users into giving away their PayPal credentials, payment card details, and ... a selfie of the user holding his ID card.

Brought to Bleeping Computer's attention by security researchers from PhishMe, the crook behind this operation relies on spam emails to drive users toward a PayPal phishing page hosted on a compromised WordPress site from New Zealand.

At the time of writing, the phishing page had been removed, but following a classic pattern for phishing sites, users arriving on this page were asked to log in with their PayPal credentials.

There was no attempt to spoof the browser URL, so if users had any kind of experience with phishing pages, they would have immediately noticed they were on a page with the wrong address.

Greedy crook wants more data

Once users entered their logins, the crook wasn't satisfied. At this point, it was obvious he's dealing with an inattentive or untrained user, so this phisher decides to go all-in and ask for more data. During a four-step process, the attack asks for the user's address, payment card data, and a picture of the user holding his ID card.

It is unclear why the crook would ask for this information. PhishMe expert Chris Sims believes it is "to create cryptocurrency accounts to launder money stolen from victims."

A similar tactic was seen last year

This tactic of asking a user for a selfie while holding his ID card has been seen before. In October 2016, McAfee discovered a variant of the Acecard Android banking trojan that was also asking users to take a selfie holding their ID card when logging into their mobile banking accounts.

The tactic was quite innovative at the time, and it got a lot of press coverage. It may be plausible that the author of this phishing scam might have come across it and decided to adapt it for his phishing operation.

The way the "selfie upload" procedure has been implemented is also curious. Instead of relying on WebRTC or Flash to access the user's webcam to take a photo and save it automatically in the form, the crook asks users to upload a photo from their computer. This means more hassle, as the user has to take a selfie, transfer it to the PC, and then upload it on the crook's page. Prolonging the attack this way gives the user more time to notice something wrong with the fake PayPal site.

In addition, there's a second issue. Phishing sites usually don't feature form validation rules, taking whatever users enter in the forms. This phisher broke out of this mold and wrote special form validation rules to make sure the user is uploading the photo in JPEG, JPG, or PNG format.

The crook also made mistakes. The user's photo isn't saved to a server under the crook's control, but sent to an email address at "oxigene[.]007@yandex[.]com."

Sims says he searched for this address in the Skype user directory and found it registered to a person named "najat zou," from "mansac, France." While this information is not reliable to determine the user's nationality or location, it provides researchers with a first clue they can use to track down the phisher if law enforcement decides to investigate this case further.

Image credit: PhishMe