Watch out for this fake PayPal form that tries to steal your credit card info
Magecart attacks are some of the most destructive kinds of cyberattacks you can encounter online. The sneaky tactic involves hijacking an online store and recording a victim’s payment information. Once they fill out a form, the data is sent to a server owned and controlled by hackers. It’s like phishing you can’t see.
These attacks have cost victims millions of dollars collectively, and some online shopping platforms have been hit especially hard. Tap or click here to see how 2,000 online stores were hit by one Magecart campaign.
As tricky as Magecart attacks are, hackers are still refining their tactics to make them even more effective. And now, a new campaign is using fake PayPal forms to trick customers. We’ll show you how to spot it.
Watch out for your money! This isn’t a real PayPal page
A new Magecart tactic found by security researcher Affable Kraut may be one of the most convincing ever. It uses an unusual technique to inject fake PayPal forms into online stores, and any information entered into these forms gets stolen by the hackers behind the scheme.
This pattern goes a bit further than traditional Magecart attacks and their fake landing pages. To make itself as authentic-looking as possible, the Magecart system scans the victim’s shopping cart and checkout page and partially fills its fake PayPal forms with them.
If you’ve ever used PayPal, you might know that you can save your information to autofill once your password is typed in. If you check out with PayPal and see your information already filled out, you’d have no reason to assume something was wrong.
According to Kraut, it even passes along taxes and shipping information for extra details. These hackers are many things, but lazy isn’t one of them!
How can I spot the scam? What can I do to protect myself?
Even though this Magecart attack spoofs a PayPal form, you should still rely on secure payment methods like PayPal for online transactions. This is because PayPal encrypts your data and can offer some recourse in the event you get scammed.
If you have two-factor authentication activated for PayPal, you’ll be asked to enter your code before you can check out. Fake PayPal forms from the Magecart attack will not prompt a 2FA login, so we’d advise setting this up on your PayPal account for extra security. Tap or click here to see how to set up 2FA for some of the most popular platforms on the web.
In addition to 2FA, here are even more ways you can protect yourself from this kind of attack in the future.
2,000 online stores at risk after attack - How to shop safely
It’s bad enough when an online platform like a social network or game gets hacked. But when an online store — and all of its customers’ payment information — finds its way into hackers’ hands, you have an absolute disaster in the making.
Amazon Prime scam: This phone call is conning people
It seems like scams are lurking around every corner these days. Even if an area code, email or website seems familiar, it never hurts to look a little closer to make sure it’s not a scam call or a phishing campaign in disguise.