A dive into a fake paypal page

Fake Paypal pages are setup by cybercriminals for one simple goal: To get your credentials. Fake Paypal pages can be hard to distinguish from legitimate Paypal pages, and this is because these cybercriminals try to stay on top of their game.

Not detected

Currently, if we take a look at VirusTotal, not one of the antivirus engines which is being used at VirusTotal is able to detect the fake PayPal page that is hosted on certif-verification.ddns.net, if we continue to take a look at the IPv4 address which is used by the domain, we will see that also there is zero detection.

Zero detection on certif-verification.ddns.net

A dive into certif-verification.ddns.net

During our daily hunt, we noticed a domain which is asking for PayPal credentials. We took a dive into that domain, and we noticed, that the domain does not belong to PayPal. This is where we continued our research into certif-verification.ddns.net.

The certif-verification.ddns.net domain should be considered dangerous at all times, there is no legitimate use for any internet user to connect to certif-verification.ddns.net.

Once we connected to certif-verification.ddns.net, we were given a PayPal login screen. A fake one, but it certainly did look real. It even had the lock in the browser.

Screenshot of the page PayPal page hosted on certif-verification.ddns.net

The code

As we continued, we also took a dive into the code which is serving the Fake Paypal page, and the following code got our attention.

Code uses /info/serv/5201.php to store stolen credentials

The code above sends information obtained from the form towards /info/serv5201.php. Now knowing what type of URL the cybercriminal uses, we did a simple OSINT search, and we landed on various pages, that had found similar URL structures being used in other Fake PayPal pages.

Reports on fake Paypal pages using the same URL structure

For your convenience, we have added them to the references list.