Written by Jeremy Fuchs, Cybersecurity Researcher/Analyst at Avanan.
In July of last year, we wrote about a new campaign where hackers are sending phishing emails and malicious invoices directly from PayPal.
This is different from the plenty of attacks we’ve seen that spoof PayPal. This is a malicious invoice that comes directly from PayPal.
And since it comes directly from PayPal, it becomes incredibly difficult not only for email security services to stop but also for end-users to respond to it accordingly.
In this attack brief, researchers at Avanan, a Check Point Software Company, will discuss how threat actors are taking advantage of PayPal to send malicious invoices directly to users.
Attack
In this attack, hackers are sending malicious invoices directly from PayPal;
- Vector: Email
- Type: Malware
- Techniques: Social Engineering, Impersonation, Malicious Invoice
- Target: Any end-user
Email Example #1
This email comes directly from PayPal–notice that the sender address is service@paypal.com.
The body of the email, however, could alert some eagle-eyed users that something is amiss. For one, the grammar and spelling is all over the place. The phone number they list is not related to PayPal. However, it offers another way for hackers to get your information and money. For one, if you call that number, now they have your cell phone number and can use it for more attacks. And it’s another chance to scam you on the phone.
Email Example #2
Techniques
Google ‘PayPal scam’ and the results are pretty jarring. You’ll find very similar attacks to the ones listed above. We’ve written a number of them, as have many others. There are lists related to all the different email scams from PayPal. Why have these proliferated? There are a few reasons. For one, anyone can create a PayPal account. It’s free and takes a few seconds. It’s very easy to create an invoice. It’s two clicks.
That ease of use is appealing to hackers. Beyond that, the email comes directly from PayPal. The email itself is not malicious–there are countless legitimate invoices sent via PayPal every day. An email coming from service@paypal.com will pass all SPF, DKIM, DMARC checks. And it will likely pass many other checks. It likely won’t be the first time interacting with the sender. The URL will be clean.
These are things that traditional email security solutions look for, as well as next-gen solutions. Sussing out that this email will require the use of advanced AI and ML that’s trained on an incredibly large database to figure out that this attack is indeed an attack.
If the email service can’t figure it out, there are other issues for the user to figure out. For one, the sender’s email address is gone. It’s just a nickname. It’ll say, “A small reminder from billing desk.” It won’t say, “billing.desk@company.com.” It just says Billing Desk. So the user can’t look to see if there are discrepancies in the sender address.
That makes it incredibly easy for the hacker to impersonate a family member or a boss.
In short, this is an attack that’s incredibly easy to do and incredibly hard to stop.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges
- Implement advanced security that looks at more than one indicator to determine if an email is clean or not
- Encourage users to ask IT if they are unsure about the legitimacy of an email
