Recently, researchers have discovered a fake PayPal payment website that can implant ransomware called Nemty to victim devices. The ransomware encrypts the file on the device and asks the victim for 0.09981 bitcoin which is about $1,000 as a ransom.
Hackers will use the same-synonym domain name to impersonate the PayPal official website domain name. First, hackers use Unicode characters of different alphabets in the domain name, and in order to distinguish between different characters, the browser will automatically convert them to Punycode. In this case, the address bar on the browser will be displayed as the PayPal official website domain name “paypal.com”. A fake web page will display a download button for the Paypal app and indicate that downloading the app will result in a 3%-5% rebate. After the victim clicks the download button, the ransomware automatically detects the location of the device and the ransomware stops when the location is displayed in certain countries.
While most browsers and anti-virus software mark the site as suspicious, users may still be tricked and inadvertently infected with ransomware.