Ransomware was recently discovered which has the potential to obtain PayPal login information through a phishing page. A note was embedded in the ransomware which asked the victims to pay with either Bitcoin or PayPal. The message in the note was written “Files have been encrypted! and your computer has been limited! To unlock your PC, you must pay with one of the payment methods provided, we regularly check the activity of your screen and to see if you have paid, PayPal automatically sends us a notification once you’ve paid, but if it doesn’t unlock your PC upon payment contact us CryTekk@protonmail[.]com.” If the victim opts in to using PayPal and selects the “Buy Now” option as the source of payment, then they will be guided to a phony phishing page. Payment details such as payment card holder’s name, debit/credit card number, expiration date, CVV number, and password will then be asked for. If these details are valid, the victim then will be sent to http[:]//ppyc-ve0rf[.]890m[.]com/s2[.]php. Researchers are unaware of who the perpetrator is at this time.
Analyst Notes
As always, users should be careful when putting any type of information out on the internet. Authenticity checks should be run before any information is provided. If the content of the site looks out of the ordinary, users should leave the page immediately.
