Reading time ~3min
The text advises their ‘victims’ to visit a link so they can enter their credentials due to their account being reviewed. The text message states “Your account is currently under review. Please complete the security form to avoid restrictions. pay-pal.support-online[.]co[.]uk“.
Unquestionably, is pretty apparent that the above is a phishing text from the URL, the language used ambiguity. We did a quick search on the URL, and we found that Virus Total scanned the link for the first time and did not detect it as being malicious since none one reported and is probably nothing wrong with it, right?
We did a bit of further digging on the website, and we did not find any malicious code or any form to fill; instead, we received the below:
We then quickly tested several browsers on different devices as we wanted to see if is serving smart phone users only…
.. and voilà!
In an iPhone 6 Plus device, it shows to the user the message “This site is blocked due to a phishing threat.” So we logged into BrowserStack.com and started testing on several iPhone devices with different browsers running on different IOS versions. It looks like that this PayPal phishing campaign is targeted only to iPhone users running specific IOS versions ( or probably visiting from a specific location) or the crooks running this campaign are still developing it making us think that this is not an organised and properly made phishing campaign.
This post was for awareness purposes rather than a full deep-dive analysis of this campaign.
Happy hunting people!