Researchers from Internet technology company Akamai have discovered a phishing kit that targets PayPal users. The phishing kit is hosted on legitimate WordPress websites that have been hacked. This allowed the phishing kit to circumvent detection to some extent.

According to the researchers, the phishing kit was discovered after the threat actor planted it on their WordPress honeypot. The threat actor target poorly secured websites and brute-forces their login using a list of shared login credentials found online.

The access is used to install a file management plugin that allows them to upload the phishing kit to the breached website.

To avoid detection, the phishing kit cross-reference IP addresses to domains belonging to a specific set of certain companies, including some cybersecurity companies.

The threat actors then try to make the fraudulent site look professional and mimic the original PayPal site as well as possible.

In order to steal data, the threat actors add a CAPTCHA challenge to create a false legitimacy, and the victim is then asked to log into their PayPal account using their email address and password. Once entered, the information is automatically delivered to the threat actor.

The threat actor also uses an “unusual activity” format to obtain more information from victims. The victim is then asked to provide additional financial and private information such as payment card details, card verification code, physical address, social security number and the mother’s maiden name.

The sources for this piece include an article in BleepingComputer.