Hackers have again attacked PayPal but this time by making a clone site that even had an SSL certificate of the World Bank Domain.
What happened is that hackers exploited a site operated by the World Bank Group and in place of the original site hosted a PayPal phishing site.
What made the scam look legitimate was the SSL certificate of the World Bank written over it.
The cyber criminals hacked and removed the index page of the original site but kept the original SSL certificate designated to the World Bank.
Image Source: Netcraft (Click to enlarge)
Extended Validation certificates are given to organizations, after through verifications and are one of the significant checks carried out by a user for trusting the organization.
Here the SSL certificate showed World Bank written meaning it’s a site operated under the world bank which in reality is just a trap created by hacking into the site “climatesmartplanning.org” whose URL is even depicted on the hacked site, but the content is from PayPal’s login page.
Image Source: Netcraft (Click to enlarge)
The hacked site provides data on climate smart planning to the policy makers of the developing countries. Hacking of such a site is a shame as it was made for a noble purpose, but hackers had other ideas.
After the attacks, the website went unavailable for some time but came back with phishing content removed. This didn’t end here on 19th November the website was again attacked and the homepage was defaced and showed “Defaced by “Virus Iraq”.
Image Source: Netcraft (Click to enlarge)
According to the World Bank, there are total 419 scams so far in which cyber criminals have used their domains.
It all started on Tuesday when a user was asked to enter PayPal email id and password on the site. All the credentials were submitted to logcheck.php script which validated all the data from the user. If the data was valid it showed “temporarily unable to load the user’s account” but if the email was incorrect it said invalid email or password like original PayPal site, explains Netcraft who were the first one to identify the scam.
Image Source: Netcraft (Click to enlarge)
In order to gain more information on the user the page asks for more details about the account such as name, date of birth, address and phone number once confirmed the user is asked for entering credit card details.
Image Source: Netcraft (Click to enlarge)
After that, the user is asked for 3D password to allow the hackers breach the security of the sites who ask for 3-D passwords while the user wants to purchase anything. Once the attacker has this password the user is directed to the original papal site.
Currently, the climatesmartplanning.org is down and chrome users can see a warning message on Google cache:
Here all the PayPal and other users must remember that they should never click to the links or attachments on such emails even if it’s from the official site. Instead, log in to your account by opening “paypal.com” in another tab. Most, importantly, always verify the SSL certificate (The green color indicator at the start of the site’s URL is the best indicator of the site being legit).
It is safe and advisable to log in to your PayPal account by entering the web address into your browser’s address bar or via an official PayPal app. The PayPal website has a verified green signature as shown in the screenshot below:
