A fake websiteσελίδα of Paypal, which in essence was fishing for victims (phishing), asked users to confirm their account by sending a selfie photo of themselves in which they would keep their identity.
The fake by clicking here of PayPal deceived its victims by presenting a copy of the Paypal login page urging users to login by giving their password, and in addition their credit card details, and self a selfie of the user in which he would explicitly keep his identity.
The issue was brought to the attention of PhishMe security investigators, and according to their report, the scammer was trying to direct users via emails to a phishing PayPal web page, written in Wordpress, located in New Zealand.
At this time, this phishing website has been removed. Its URL did not resemble that of Paypal, so users who had some phishing experience would have to immediately notice that they were on a page with the wrong address.
In the first user identity documentation, the website asked users to write their name and password. But the crook was not satisfied. Once someone gave their code to this page, then the scammer was sure he was dealing with a careless or untrained user, so he was asking for more information. During a four-step process, the website requested the user's address, credit card details, and a selfie photo that would hold his / her identity.
It is not clear why the scammer wanted this information. Her expert PhishMe Mr Chris Sims believes he wanted them to "create cryptocurrency accounts, to launder money stolen from other victims."
Of course, this technique with the selfie, where the victim holds his ID in his hand, is not done for the first time. In October 2016, the McAfee had discovered a variant of the Acecard Android banking trojan, which also asked users, when connecting their mobile phone to their bank account, to take a selfie while holding their ID.
The tactics were quite innovative at the time, and several articles were written about it. So he probably gave the idea to the current scammer and decided to adapt it to his phishing.
The "selfie submission" process on the current website is weird. Instead of relying on WebRTC ή σε Flash ώστε να παίρνει πρόσβαση στην κάμερα του χρήστη για να τραβήξει ο χρήστης μια φωτογραφία και να την αποθηκεύσει αυτόματα, ο απατεώνας ζητούσε από τους χρήστες να ανεβάσουν μια φωτογραφία από τον υπολογιστή τους. Αυτό σημαίνει περισσότερη ταλαιπωρία, καθώς ο χρήστης πρέπει να βγάλει μια selfie, να την μεταφέρει στον υπολογιστή, και στη συνέχεια να φορτώσει στη σελίδα του απατεώνα. Η παράταση της επίθεσης με αυτόν τον τρόπο, δίνει στον χρήστη περισσότερο χρόνο για να παρατηρήσει κάτι λάθος σηον ψεύτικη Paypal ιστοσελίδα και να σταματήσει την διαδικασία.
In addition, there is a second issue. Phishing websites usually do not have rules in the form of the validation format, and they take whatever users upload. This phisher had special rules for the format of the photos and requested only JPEG, JPG or PNG format.
The fraudster also made mistakes. The user's photo was not stored on a server under the scammer's control, but sent the data to an e-mail address in "oxigene [.] 007 @ Yandex [.] Com."
Sims says he searched for this address in the Skype user list and found a person called "Najat Zou," from "Mansac, France." Of course this information is not credible to determine his or her nationality or location user, simply provide a first step from which police officers may start investigating if they decide to investigate the matter further.