In July of last year, we wrote about a new campaign where hackers are sending phishing emails and malicious invoices directly from PayPal.
This is different from the plenty of attacks we’ve seen that spoof PayPal. This is a malicious invoice that comes directly from PayPal.
And since it comes directly from PayPal, it becomes incredibly difficult not only for email security services to stop but also for end-users to respond to it accordingly.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how threat actors are taking advantage of PayPal to send malicious invoices and messages directly to users.
In this attack, hackers are sending malicious invoices directly from PayPal.
- Vector: Email
- Type: Malware
- Techniques: Social Engineering, Impersonation, Malicious Invoice
- Target: Any end-user
Email Example #1
This email comes directly from PayPal–notice that the sender address is email@example.com. The email starts by saying there’s been fraud on the account—if you don’t take action, by calling the number, you will be charged $699.99.
The body of the email, however, could alert some eagle-eyed users that something is amiss. First, the grammar and spelling is all over the place. Second, the phone number they list is not related to PayPal. However, it offers another way for hackers to get your information and money. The general goal is to call the number or follow up for more details. If you call that number, now they have your cell phone number and can use it for more attacks. And it’s another chance to scam you on the phone.
Email Example # 2
This is a slight variation from the above attack. This attack isn’t about a fraudulent charge, but instead, it claims a Norton Antivirus 360 subscription has been renewed. They want to call and cancel, by calling the listed number, which is not associated with PayPal or Norton.
Google ‘PayPal scam’ and the results are pretty jarring. You’ll find very similar attacks to the ones listed above. We’ve written a number of them, as have many others. There are lists related to all the different email scams from PayPal.
Why have these proliferated? There are a few reasons.
For one, anyone can create a PayPal account. It’s free and takes a few seconds. It’s very easy to create an invoice. It’s two clicks.
PayPal offers you the ability to send many of these at a time. They even offer tools to create more professional-looking invoices.
That ease of use is appealing to hackers. Beyond that, the email comes directly from PayPal. The email itself is not malicious–there are countless legitimate invoices sent via PayPal every day. An email coming from firstname.lastname@example.org will pass all SPF, DKIM, DMARC checks. And it will likely pass many other checks. It likely won’t be the first time interacting with the sender. The URL will be clean.
These are things that traditional email security solutions look for, as well as next-gen solutions. Sussing out that this email will require the use of advanced AI and ML that’s trained on an incredibly large database to figure out that this attack is indeed an attack.
If the email service can’t figure it out, there are other issues for the user to figure out. For one, the sender’s email address is gone. It’s just a nickname. It’ll say, “A small reminder from billing desk.” It won’t say, “email@example.com.” It just says Billing Desk. So the user can’t look to see if there are discrepancies in the sender address.
That makes it incredibly easy for the hacker to impersonate a family member or a boss.
In short, this is an attack that’s incredibly easy to do and incredibly hard to stop.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges
- Implement advanced security that looks at more than one indicator to determine in an email is clean or not
- Encourage users to ask IT if they are unsure about the legitimacy of an email