World Bank Site Hacked to Serve a Convincing PayPal Phishing Page


The website of a World Bank’s project site has been hacked and then exploited to host a very convincing PayPal phishing page.

World Bank project site hacked by two malicious actors:

Reports have revealed that the official website for the World Bank’s Climate Smart Planning Platform was penetrated by hackers and then exploited to host a PayPal phishing site. The Climate Smart Planning project focuses on helping developing countries create and implement climate-smart policies.

Since the website carried an Extended Validation (EV) SSL certificate issued for the World Bank Group, it gave the phishing website enough credibility for the visitors to easily fall for it. This certificate gives the “highest available level of trust” as it is offered after an extensive verification process. The certificate also then displays the name of the owner – World Bank, in this case – in a box just beside the URL, as you can see in the image above.

The PayPal phishing site tricked the visitor into logging in with their PayPal credentials. After this data was submitted (and stolen), the user was prompted that the site was unable to load the user’s account and required confirmation of their personal information. The site then required the user to share their email address, name, postal address, date of birth, and phone number. This identity theft attempt didn’t stop here as the next screen asked the user to verify their PayPal payment information, including credit card number, expiry date, its CVV number, and 3D Secure password if the card required verification. After collecting this personal and payment information, the phishing site then directed the user to the legitimate PayPal website.

In another incident, an Iraqi hacker defaced the homepage of the same website operated by the World Bank. This particular hacking instance appears to be performed by the hacker to improve his reputation among the hacking world.

Since the EV certificate shouts about a site’s credibility, making the visitor highly likely to trust its content and that too when an organization like the World Bank is involved, the webmasters were quick to remove the page. Following these two different attacks, the site’s EV certificate has also been revoked preventing access to the website.

There is no information as to how many affected users there could be. As this is not just a password theft, we cannot advise you to relax and sit back after changing the password as your personal and payment details are all stolen too. If you think you have fallen victim to this phishing attack, change your passwords and contact your card provider as soon as you can.