The NHS has been hosting a PayPal Phishing page for nearly a year...

Don't blindly trust that green padlock...

Security researcher Oliver Hough, who specialises in all things Phishing, tweeted about this quite frankly strange finding on Saturday night (2018-11-10). It's been almost 24 hours since its discovery, Oliver Hough, Scott Helme (another security researcher) and many other tech-savvy Twitter users have reported this to many different authorities as well as the NHS & Thames Valley NHS Trust (who run the site with the phishing page on it).

Upon further inspection, this page has been here since the 25th of March 2018. Nearly a year? Absolutely disgusting.

How does this even happen?

Back in February, we saw that the NHS and many other UK Gov websites were running crypto-mining scripts on web visitors, due to an external library being modified by an unknown third party. In hindsight, they should've been hosting those libraries locally to avoid that type of attack, but both parties (The NHS and the company who host the libraries) have patched themselves against something similar happening again.

But this PayPal Phishing page? It doesn't make any sense. Do they have bad passwords which were easily guessed? Keyloggers? Services running default passwords? Disgruntled employee(s)? The list of possibilities are endless. All of which can be mitigated, of course. However, the fact that the page has been harvesting credentials since the 26th of October (It's now the 11th of November at the time of writing) is both rediculous and unacceptable.

Dear customer...

The first thing you're asked to do is to verify yourself by dragging the T-Shirt into the "Drop Here" circle. Note the bad grammar; "Please, you need to complete the captcha in order to continue!". It's punctuated like this to give the user a sense of urgency.

After you're served the phishing page, you can enter any information you like into the credential harvester, as long as what you enter in the email box is actually a valid email address (I'm impressed).

When you click "Log In", you're directed to a page which asks you to verify your account by entering all of your personal information as well as Credit/Debit card information. As always with these types of things, you're referred to as "Customer" because there's no way the attacker can know who you are. Ironically, "Your security is our top priority" is shown at the top right. This page seems to be targeted at US/Canadian based customers as the format for the address section isn't what you'd find in Europe/UK, as well as there being no option to select your country (Oops).

At this point, any unsuspecting user would've given the attacker both their PayPal login details as well as their address and Credit/Debit card numbers. Of course, this means that your PayPal account or Credit/Debit would've been used to either empty your bank account, max out your credit limit or make fraudulent purchases to shady eBay sellers and the like. Since they also have all of your personal information, I wouldn't be suprised in the slightest if they used this information to open new credit accounts in your name.

To top it off, there's also a log file that contains the IP addresses of anyone who's entered information into these credential/information harvesters, as well as the date and time of when they entered the information.

This is a great time to remind you to ALWAYS use 2-Factor Authentication for EVERYTHING, as well as to use a password manager to generate unique passwords for every site you use. Links to these can be found on the sidebar to the right if you're viewing on desktop, or below if you're on mobile.

Previous Post