generic_javascript_obfuscation in www.paypal.com

On 2019-08-05T19:35:12.695871+00:00 we found suspicious pattern generic_javascript_obfuscation, type: Suspicious, (JavaScript obfuscation is frequently used to hide malicious code (or with hope to protect intellectual property)) in the page https://www.paypal.com/ca/signin

The suspicious code sample:

b'atob' … b'"rZJvnqaaQhLn/nmWT8cSUrLUCF91zHwnjpRjzGlM+yc6Y1bp0++ytvQKiB+b/uErZ4Av5GEptRw"' … b'"rTHQQ92KbOgVBchwNAq69ITV+tuubwz1mVNB0="' … b'"phoneNotSetUpTempNotification"' … b'"switchToEmailNotification"' … b'"rTHQQ92KbOgVBchwNAq69ITV+tuubwz1mVNB0="' … b'"profileDisplayPhoneCode"' … b'"expiredTryAgainButton"' … b'"slDisplayMerchantLink"' … b'"delayPartnerAssertion"' … b'"contentContainerShort"' … b'"isHybridLoginExperience"' … b'"isHybridEditableOnCookied"' … b'"splitLoginCookiedFallback"' … b'"isPrefillEmailEnabled"' … b'"deleteContentBackward"' … b'"isWebAuthnHigherVersionEligible"' … b'"profilePlaceHolderImg"' … b'"splitLoginCookiedFallback"' … b'"suppressAutosubmitTime"' … b'"isKeychainActivationWithEmailTokenOn8ball"' … b'"splitLoginCookiedFallback"' … b'"isKeychainExperienceEnabled"' … b'"isKeychainActivationWithEmailTokenOn8ball"' … b'"contentContainerShort"' … b'"splitLoginCookiedFallback"' … b'"isKeychainOptinRequired"' … b'"isKeychainOptinRequired"' … b'"isPrefillEmailEnabled"' … b'"smartlockBlockingAuth"' … b'"smartlockBlockingAuth"' … b'"headerIconThumbprintError"' … b'"isWebAuthnHigherVersionEligible"' … b'"webAuthnSupportLookup"' … b'%2F' … b'%2F' … b'%2F' … b'%2F' … b'%2F' … b'%2F'

This feature is experimental so please feel free to contact us if you feel any of the reported issues is a false positive or you want to suggest a pattern that should be detected (we are using Yara standard).

Fully automated RESTful API is now available. Subscribe for your free trial today!