The PayPal fake invoice attacks continue.
Getty Images
Updated November 1 with details of a click-to-contact threat as well as the latest ‘do not pay, do not phone’ PayPal TOAD attack.
It has been less than a week since I reported an ongoing attack involving fake PayPal invoices that the online money giant itself warned users, “do not pay, do not phone.” Now, a similar, but not quite as convincing, new attack using fake PayPal invoices has been confirmed by security experts. Here’s everything you need to know.
PayPal Users Must Stay Alert As New Invoice Attack Campaign Confirmed
Previously, I reported how cybercriminals were using a variation of what is known as a TOAD attack to target PayPal users with fake invoices. “You receive an email from a real PayPal email address,” security analysts at KnowBe4 warned, which “contains an invoice for a large purchase you did not make, and a phone number for you to call if you want to dispute the charge.” Such Telephone-Oriented Attack Delivery threats almost always contain a PDF document of some kind, such as the invoice in this case, along with urgency and fear-of-financial-loss messaging. What made this one rather more sophisticated than most such scams, was that the attackers were sending the invoices from a genuine PayPal account email. “The email you receive is real,” KnowBe4 said, “but the invoice is not, and if you call the phone number in the email, you will not be connected to PayPal’s support team,” but rather a fraudster after anything from your credit card details, PayPal account credentials or just a good old-fashioned cash payment.
The latest fake PayPal Invoice attack is a lot less convincing. It just so happened to land in the email inbox of an employee of a security vendor, Pieter Arntz, a malware intelligence researcher at Malwarebytes, has confirmed. It is worth reporting on, Arntz warned, “because it looks like it was sent out in bulk.”
Firstly, the email isn’t sent from a PayPal address at all, but a random Gmail account instead. That’s the kind of red flag nobody should ignore, especially as it will be flapping around in your face at quite an alarming rate. The second being that the email went out to a BCC list, that is a blind carbon copy or to hundreds of others at the same time. PayPal would never send an invoice in such a manner, obviously. However, using a genuine Gmail address does, Arntz said, mean that “the authentication results (SPF, DKIM, and DMARC) all pass,” but that “only proves the email wasn’t spoofed and was sent from a legitimate Gmail server, not that it’s actually from PayPal.”
The red flags continue: the email body was blank, with only the invoice attachment. PayPal would never send an invoice or any communication like this. Still, if the attachment was to be opened it would follow the standard TOAD process: “Your account has been billed $823.00. The payment will be processed in the next 24 hours. Didn’t make this purchase? Contact PayPal Support right now.”
Click-To-Contact Threat Warning Issued
Not all impersonation attacks follow the same TOAD methodology of the PayPal invoice threats, but they do all leverage trusted relationships and brands, or they wouldn’t have any impact. Lucy Gee and James Dyer, lead analysts at the KnowBe4 Threat Lab, have just confirmed as much in a new report outlining click-to-contact attacks.
Cybercriminals are, the report confirmed, using legitimate but compromised email accounts to distribute messages to contacts, some of which are affiliated with the stolen accounts while others are sourced from online leak databases, to further these often all too successful phishing attacks. These emails can, the report stated, pass email authentication checks. “Phishing attacks sent from legitimate domains will ‘trick’ the authentication mechanisms into considering them safe.”
Because the emails originate from such legitimate addresses, and even if there’s no pre-existing relationship between sender and recipient, if they are constructed properly, they can be remarkably convincing. “This ramps up considerably with a pre-existing relationship as, previously, the target has had no reason not to trust the sender’s address,” the report continued.
Here’s where things get really concerning, though. The threat lab team has “observed an increase in a new and more efficient attack method – and one that doesn’t require any account compromise at all.” The latest attacks exploit legitimate contact us or book an appointment forms. While being genuinely useful resources, these forms can, relatively easily, the researchers warned, be used to launch phishing campaigns.
Prior to sending the phishing email to their targets, the attacker creates a free onmicrosoft account, populates the relevant display name, as well as creating “a mailflow rule that auto-forwards all inbound emails to a distribution list they have populated.”
Because these forms “allow users to enter their email address and a custom message,” which can then trigger an automated email response from the organization, attackers can quickly gain the trust they need to carry out the scam and drop the intended payload. “Our research indicates that this technique is primarily exploiting web forms in the legal, banking, healthcare and insurance sectors,” the KnowBe4 analysts said.
PayPal Takes Note Of The Evolution Of Scamming Tactics And Responds Accordingly
PayPal has said that anyone receiving an unexpected or suspicious invoice or payment request, whether it appears to be from PayPal or another service, should not pay it or respond to it. PayPal also said it is responding to the continual evolution of scamming tactics and methods, taking all the necessary steps to protect customers. Measures such as manual investigations and technology to prevent fraud, and proactive actions such as limiting scam accounts and declining risky transactions.
“We do not tolerate fraudulent activity on our platform, and our teams work tirelessly to protect our customers. We are aware of this phishing scam and encourage people to always be vigilant online and mindful of unexpected messages,” a PayPal spokesperson said. “If customers suspect they are a target of a scam, we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance.”
