An educational analysis of real-life cases of carder phishing attacks using social engineering

[Student]

For educational purposes, I will examine two described cases in more detail: the attack on PayPal users in 2018 and the "Paycheck Fax" campaign in 2023. Each case will be structured by stages (preparation, execution, and consequences), with an emphasis on the role of social engineering — the manipulation of human behavior to obtain credit card data. This will help us understand how such attacks evolve and how to prevent them. The information is based on reports from reputable sources such as the FTC (Federal Trade Commission), Proofpoint, Kaspersky, and UCSF IT to ensure accuracy and relevance.

Case 1: Phishing Attack on PayPal Users (2018)​

This campaign, known as the "PayPal Phishing Scam," was one of the largest phishing operations of its time. It demonstrates a classic combination of social engineering and technical tricks, where carders (cybercriminals specializing in card theft) exploited the trust in the PayPal brand. The attack affected users in the US, Europe, and Asia, peaking in mid-2018.

Preparing attacks​

• Target audience: The primary victims were individual PayPal users (approximately 200 million accounts globally at the time), especially those who actively made online purchases or transfers. Carders chose PayPal due to its popularity and ease of integration with cards (Visa, Mastercard).
• Technical infrastructure: The group (presumably from Ukraine and Russia, according to Interpol) used cheap tools: free email services for spam (spoofed Gmail accounts), hosting services like Namecheap for phishing domains (e.g., pay-pal-support.com or secure-paypal[.]net), and simple CMS (WordPress with form plugins). SSL certificates (free from Let's Encrypt) added a veneer of legitimacy.
• Social engineering in the pre-production phase: Carders studied real PayPal email templates through open sources (forums, data leaks) and tested messages on focus groups on the dark web to maximize response (conversion rates reached 5-10%, according to Proofpoint).

Stages of execution​

1. Phishing email distribution:
   • Volume: Millions of emails per day via botnets (networks of infected PCs rented on the black market for $100–500).
   • Contents: Fake official notice: "Your PayPal account has been temporarily suspended due to a suspicious transaction. Please verify your card details within 24 hours, or your account will be deleted." Fake "receipts" or screenshots were attached to make the message more convincing.
   • Social engineering: Created fear (FOMO) and urgency by ignoring red flags such as grammatical errors or a suspicious sender ( no-reply@paypal-security.com instead of the official one).
2. Phishing site and data collection:
   • Website: A PayPal.com clone with an identical design (logos, colors, navigation). The "login" form asked for an email, password, card number (16 digits), CVV (3-4 digits), expiration date, and address for "verification."
   • The technology used: JavaScript for input validation (to ensure the data looked real) and PHP scripts for sending to the carders' server. The data was encrypted and stored in databases (MySQL) for subsequent export.
   • Social engineering: The site used "social proof" — fake reviews ("Confirmed in 30 seconds, everything works!") and timers ("5 minutes left before blocking") — to speed up data entry.
3. Monetization:
   • The data was sold on darknet forums (such as Exploit.in) for $5–$20 per card. It was used for "carding"—buying electronics on eBay/Amazon for resale or withdrawal through money mules (front men).

Scale and consequences​

• Statistics: The FTC recorded approximately 10,000 complaints, with damages exceeding $1 million (average loss per victim: $100–500). Proofpoint noted that 80% of victims were over 40 years old and were subject to emotional manipulation.
• Detection and response: Detected through traffic monitoring (Google Safe Browsing) and complaints. In 2019, Interpol arrested five people in Kyiv based on IP and transaction logs. PayPal introduced enhanced email verification (DMARC) and mandatory two-factor authentication.
• Lessons for education: This case demonstrates how social engineering increases the effectiveness by 70% (compared to purely technical attacks). Recommendations: Always verify the URL (use https://www.paypal.com), call support on the official number, and learn how to recognize urgency.

Case 2: Paycheck Fax-Themed Lure Phishing Campaign (January 2023)​

This attack, recorded in early 2023, evolved from previous campaigns by integrating AI for personalization. It exploited post-pandemic financial stress (salaries, taxes) and primarily affected the US and EU. UCSF IT and FTC reports highlight it as an example of "spear-phishing" — targeted phishing with elements of mass mailing.

Preparing attacks​

• Target audience: Corporate employees (office workers, freelancers) who use services like ADP or QuickBooks to calculate payroll. Carders (a group from India and Eastern Europe) collected email lists from leaks (for example, the LinkedIn breach 2021) – approximately 50 million addresses.
• Technical infrastructure: Domains were typos (adp-fax[.]com) on hosting services like GoDaddy. Websites were built using templates (Clonezilla for cloning ADP), with AI-powered text generation (ChatGPT-like personalization tools). Mailings were sent via SMTP servers and botnets (Mirai variants).
• Social engineering in the preparation phase Social media analysis of victims for customization (e.g., "Dear [Name], your receipt from [Company] requires verification"). A/B testing on the dark web showed a 15% response rate.

Stages of execution​

1. Phishing email distribution:
   • Volume: Hundreds of thousands of emails per week, peaking in January (beginning of tax season).
   • Contents: "Urgent fax about your paycheck: Confirm your card details to receive your salary. Verification issue - please act within one hour." Attached were fake PDFs of the "fax" (generated in Photoshop).
   • Social engineering: Exploiting authority (imitating the HR department) and reciprocity (promising a "quick fix") to create trust and panic ("You won't get your salary!").
2. Phishing site and data collection:
   • Website: ADP portal clone with forms for "payment confirmation" — card number, CVV, SSN, PIN. Fake chatbots have been added for "help."
   • Technology: React.js forms for dynamics, webhooks for real-time data transfer to carder Telegram bots. Data was logged in the cloud (similar to AWS, but anonymized).
   • Social engineering: Personalization ("Your check for $X requires a card for deposit") and scarcity ("Time limit is running out") reduce skepticism.
3. Monetization:
   • The data was used for ACH fraud (wage theft) or sales ($10–30 for a full set). Some was monetized through crypto wallets.

Scale and consequences​

• Statistics: The FTC received ~300,000 phishing complaints in 2023 (some from this campaign), with damages >$5 million. UCSF IT noted a 70% success rate among victims without 2FA.
• Detection and response: Detected by AI monitoring (Microsoft Defender) and complaints. Partial arrests in India (3 people) according to the FBI. ADP has implemented email filters and SMS verification.
• Lessons for education: The evolution of AI makes attacks personalized, increasing conversion rates by 50%. Recommendations: Use password managers, verify senders (SPF/DKIM), conduct phishing training (for example, through KnowBe4).

Case study comparison and general recommendations​

Aspect	PayPal 2018	Paycheck Fax 2023
Scale	10,000+ victims, $1 million in damage	Thousands of victims, $5 million+ in damage
Social engineering	Urgency + fear of blocking	Personalization + HR authority
Technique	Simple clones, botnets	AI-personalization, webhooks
Evolution	Mass spam	Targeted with data leaks
Response measures	DMARC, 2FA	AI filters, SMS verification

General recommendations for prevention:

• For individuals: Check URLs (use tools like VirusTotal), enable 2FA/MFA, and avoid entering email address information. Learn through simulations (phishingquiz.withgoogle.com).
• For organizations: Implement email filters (Proofpoint), conduct annual training, monitor leaks (Have I Been Pwned?).
• Statistics for context: According to Verizon's 2023 DBIR, 74% of breaches involve social engineering; phishing accounts for 36% of incidents.

These cases highlight that technology is changing, but the human factor remains the weak link. For more in-depth information, I recommend the FTC (consumer.ftc.gov) and Kaspersky (securelist.com) reports. If you need more examples or a specific aspect, let me know!