Merseyside Police have arrested, and subsequently released under investigation, a fifteen-year-old boy under the suspicion of hacking into a number of PayPal accounts in the UK earlier this year.
Aside from arresting and releasing the fifteen-year-old boy under investigation, Merseyside Police’s Cyber Dependent Crime Unit, along with the Matrix, carried out a search of the boy’s home- finding many expensive gadgets such as an iPhone 11, iPhone 8, Apple Watch, Samsung phone, Apple Airpods, an iPad, a Sony mobile phone and a mini motorbike.
The arrest was made under the Computer Misuse Act 1990 and Merseyside Police have advised all PayPal users to set up two-factor authentication on their accounts to prevent cyber criminals from taking over their accounts.
Earlier this year, research carried out by email security solutions provider Vade Secure revealed a major jump in the misuse of well-known brands by hackers in phishing attacks to lure Internet users into sharing their account credentials, payment card details, and other personal information.
In its Phishers’ Favorites report for Q3 2019, the security firm found that in the quarter, fraudsters impersonated PayPal more than any other global brand. The firm found 16,547 fake or malicious URLs that impersonated PayPal, compared to 13,849 URLs that impersonated Microsoft, 13,562 URLs that impersonated Netflix, and 12,041 URLs that impersonated Apple.
Phishers also impersonated other global brands such as Bank of America, Apple, Google, Chase, Amazon, DHL, Desjardins, Docusign, BNP Paribas, Dropbox, Yahoo, Adobe, AT&T, and Comcast, all of which appeared on the firm’s list of the 25 most-impersonated global brands in the quarter.
One particular phishing campaign impersonating PayPal that caught the security firm’s attention targeted more than 700,000 people across Europe. The phishers behind this campaign sent emails to victims with subject lines such as “Last reminder before judicial action” and asked them to pay €45 to avoid prosecution. The emails contained URLs that victims were asked to visit to complete their payments. These URLs impersonated PayPal’s domain and required visitors to fill in their PayPal usernames and passwords.
In January, prominent phishing gang 16Shop updated its repository of phishing kits with new templates that targeted PayPal users across the globe. The phishing kit allowed fraudsters to steal as much data as possible from unsuspecting users, such as login credentials, credit card details, phone numbers, geolocation, and email addresses.
“Phishing kits allow criminals to quickly and easily send out mass phishing emails in an attempt to compromise accounts. In recent years these have become more advanced with multi-language localisation for global brands and more convincing templates,” said Javvad Malik, security awareness advocate at KnowBe4.
“It is why it’s important for all organisations to regularly provide security awareness and training to all staff, and even beyond so that they can be aware of the risks out there and the best way to identify scam phishing emails,” he added. It is not known if the fifteen-year-old boy from Merseyside used 16Shop’s phishing kit to hack into PayPal accounts in the UK or used some other method to carry out the hack.