Scam lures victims with Paypal "No Code Checkout" pages
Paypal offers "No Code Checkout" pages as a function. Fraudsters misuse them to advertise on Google and lure victims.
Online criminals phish for monetizable information.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Fraudsters are using a PayPal function called “No Code Checkout” to imitate genuine-looking PayPal pages. They advertise these in Google's search engine to attract potential victims.
Malwarebytes reports on the scam in its company blog. According to the report, the fraudsters place advertisements on Google that display the official PayPal website but redirect to a fraudulent site. This works because Google's guidelines ensure that the popular logo and name are displayed if the domain name of the URL refers to PayPal.
(Image: Malwarebytes)
The advertisements are placed via accounts that have presumably been taken over by criminals; Malwarebytes cites the advertiser “Icebear Limited”, which is supposedly based in Hong Kong, as an example. The advertisement looks as if it leads directly to PayPal, and only the main domain “https://www.paypal.com” is displayed. However, interested parties land on a PayPal “No Code Checkout” URL.
“No Code Checkout” for simple payment processing without programming effort
The PayPal “No Code Checkout” is intended to help smaller merchants in particular to enable payment requests without programming. Merchants can enter any text in a mask and specify an amount to be paid. The paths there are structured according to the scheme paypal.com/ncp/payment/[unique ID].
The fraudsters use this to create a fake payment link at the end. In the malvertising campaign observed, the perpetrators provided a fraudulent telephone number as “PayPal assistance”.
According to the analysts, smartphone users in particular are susceptible to falling for this advertising. One example shows screenshots of an iPhone on which a search for “PayPal live agent” is carried out, and the fraudulent advertisement is displayed first. Due to the reduced screen size, interested parties first have to scroll past the ad and possibly the AI overview to get to the organic search results. This is of course no coincidence, but the reason advertising is worth billions of US dollars,” explain the IT researchers.
If a potential victim clicks on the advertising link, they land on the page behind which the false payment link is hidden and which displays the wrong support telephone numbers. The PayPal domain is also correctly displayed in the address bar. This creates trust among interested parties and can lead them into the clutches of the perpetrators. The IT researchers advise not to use the advertising links for such search queries, but to scroll further down the results page to the organic results.
As one of the most important payment processors and service providers online, PayPal is a constant focus for cyber criminals. Just last week, a phishing scam became known that abused the “New address” function to create seemingly genuine fraudulent emails and bypass protective measures and filters.
(dmk)