A new phishing scam pretending to be PayPal gets victims to take a selfie holding their ID and credit card.
A new phishing scam pretending to be PayPal gets victims to take a selfie holding their ID and credit card.

A new phishing scam is duping victims into sending selfies to a site they believe is PayPal, but is, in fact, harvesting their credit card data, according to a report from PhishMe.

While phishing scams purporting to be PayPal are not uncommon, this new campaign is an evolution in its getting victims to take a selfie holding their ID and credit card. This data can then be used in setting up cryptocurrency accounts with which the bad actors behind the ruse launder money stolen from the victims, the report suggested.

Victims receive an email directing them to a hacked site in which the phishing kit is embedded into a subdirectory, the researchers explained. This obfuscates their activity from legitimate anti-phishing vendors mining for phishing sites.

But, after victims key in their username and password, they are prompted by a new, fake Paypal-branded screen to give up their name, address, credit card number, etc. And then, pretending to seek verification, a next screen asks for a photo of the user holding up some form of ID and credit card next to their face.

Once their data and photo is uploaded, the victim is redirected to the actual PayPal site, unaware they've been duped. Their data is, in fact, being sent to an email address associated with a Skype account for “najat zou” of “mansac, France,” the researchers detected.

PhishMe advised users to be wary of emails containing suspicious links or attachments, particularly those that purport to arrive from PayPal seeking personal information.