Fake Paypal pages are setup by cybercriminals for one simple goal: To get your credentials. Fake Paypal pages can be hard to distinguish from legitimate Paypal pages, and this is because these cybercriminals try to stay on top of their game.
Not detected
Currently, if we take a look at VirusTotal, not one of the antivirus engines which is being used at VirusTotal is able to detect the fake PayPal page that is hosted on certif-verification.ddns.net, if we continue to take a look at the IPv4 address which is used by the domain, we will see that also there is zero detection.
A dive into certif-verification.ddns.net
During our daily hunt, we noticed a domain which is asking for PayPal credentials. We took a dive into that domain, and we noticed, that the domain does not belong to PayPal. This is where we continued our research into certif-verification.ddns.net.
The certif-verification.ddns.net domain should be considered dangerous at all times, there is no legitimate use for any internet user to connect to certif-verification.ddns.net.
Once we connected to certif-verification.ddns.net, we were given a PayPal login screen. A fake one, but it certainly did look real. It even had the lock in the browser.
The code
As we continued, we also took a dive into the code which is serving the Fake Paypal page, and the following code got our attention.
The code above sends information obtained from the form towards /info/serv5201.php. Now knowing what type of URL the cybercriminal uses, we did a simple OSINT search, and we landed on various pages, that had found similar URL structures being used in other Fake PayPal pages.
For your convenience, we have added them to the references list.
References
- https://maltiverse.com/url/bd49daa7ea47cf28d22135407965938b778c92f577fc7891379c8edc381a3914
- https://afincolabs.com/scan.txt
- https://urlscan.io/result/6b01917f-5f48-415c-b1e6-2acf8e77954e/content/
- https://urlscan.io/result/2c10c7da-9dc6-41a8-8619-be67ef2d8871/content/
- https://www.virustotal.com/gui/domain/certif-verification.ddns.net/detection
- https://www.virustotal.com/gui/ip-address/62.210.219.99/detection
Indicators
certif-verification.ddns.net certif-veriff.ddns.net at-officielle.ddns.net certif-verif1.ddns.net certif-verif.ddns.net support2020-anc.ddns.net contents-infoss.com minemarket.fr 62.210.219.99 /info/serv5201.php