PayPal Phishing Scam Uses Invoices Sent Via PayPal (krebsonsecurity.com) 17
Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. Krebs on Security reports: The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer. While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam.
For starters, all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com. Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal. Both the email and the invoice state that "there is evidence that your PayPal account has been accessed unlawfully."
For starters, all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com. Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal. Both the email and the invoice state that "there is evidence that your PayPal account has been accessed unlawfully."
Stupid Is As Stupid Does (Score:2, Insightful)
Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.
No matter how convincing the scam is, no matter how perfectly legitimate the emails appear to be, anyone with the tiniest big of intelligence will immediately say "Hey wait a minute ... why do I have to install special software to fix a problem with my PayPal account?"
Anyone tricked by this is beyond stupid and gets what they deserve.
Re: (Score:3, Insightful)
Just because gullible idiots are job security for cybercops doesn't mean they deserve the darwin treatment.
And shame on you for denigrating the vulnerable
People who take advantage of the weak and helpless, especially those being oppressed, are the most contemptible people in the world and deserve the sharpest of rebukes
God is compassionate, and even honest enough to warn us not to oppress the helpless, lest he himself hear their cry. He doesn't actually want to retaliate against us, but he will if he
Re: (Score:1)
Re: (Score:2)
Unfortunately, legitimate support companies also do this. I just ran into a global finance company whose India hosted support personnel try to resolve email issues by getting your laptop's IP address, establishing a remote connection to it, and having you permit them remote console access. Suffice to say that I was startled at a finance company doing this with third party contractors and employee laptops.
Praise the lord (Score:3)
Thank GOD I'm a fresh major in my college's BAS cybersecurity program.
Without that in-taught instinct I might have fallen for it.
God bless institutions of education, at least when they do their job.
Re: (Score:2)
You need to go to the college of morality to know why you shouldn't.
The only being you should devote yourself to on a religious level is the one being who is humble enough not to make you.
Commandment 1
"You shall have no other gods before me"
Exodus 20:3 (NIV)
Commandment 2
"You shall not make for yourself an idol in the form of anything in the heavens above, on the earth below, or in the waters beneath
Exodus 20:4 (NIV)
God doesn't even demand our worship, the only ones commanding us to do so are his
The scam is to "trust"... (Score:2)
The scam is to "trust" technology to indicate an e-mail is valid, etc. But does it make sense?
I've had some of these scam e-mails, but I use my "gut feeling" to make a decision. While a plugin, browser says it's safe, what does my gut instinct say? Those that know me will understand if I'm rude, gauche, but the scammers won't.
People trust technology too much (and this does NOT justify scamming innocents and naive persons...) and don't trust their intuition, what their gut tells them.
In short, yes the email
Paypal account authentication security is CRAP! (Score:4, Informative)
It's no wonder there is phishing coming from fake PayPal accounts. The measures they take to authenticate users have holes you could drive a truck through. And they don't CARE about fixing them. All they care about is having more accounts. Messages to their supposed security reporting emails just trigger a canned autoresponse, and never any effective or even human response.
Supposedly you can't open a PayPal account without providing an email address, and then prove you can receive messages sent to it. When you register a new account, they send a verification message to your registered email address. You're supposed to have to click a unique link inside that message to prove you have access to the address you provided. But if you don't respond, instead of shutting down the account, they just send repeated pleas to activate. And enticements of the amazing benefits of completing your registration. For days and weeks.
If you confirm the email address, you're next supposed to similarly supply a mobile number and prove receipt of calls, texts, or such there. Without these validations you're account is supposed to never become active.
In reality it seems PayPal NEVER shuts down an account that fails to pass its verification screens.
Over a year ago, an email domain I control started receiving PayPal verification messages in its catch-all mailbox. They are addressed to various random addresses at my domain. Over time, quite a few of them. As though someone is gradually testing their technique. For the life of me I still can't figure out how anyone gains from these.
At first I ignored the verification requests as spam. But eventually I started checking SMTP headers on the messages. They really are legitimately from PayPal, and not spoofed. Though at various levels some of them do originate from potentially dodgy email marketing partners of PayPal instead of direct from PayPal.
So I phoned PayPal's support and asked them if these accounts really existed. After multiple calls and attempts to escalate to someone who could understand the situation, eventually I got to someone in security with half a brain. Only half. They did confirm these are real accounts. One of the earliest EVEN HAD A BANK ACCOUNT linked to it!
When I asked how an unverified account could get so far in the initiation process, they just obfuscated. They claim that even with a linked bank account, they will not permit it the PayPal account to receive funds or to make payments. When I asked how I could trust that is true they had no good answer.
Because this is my email domain I'm reasonably confident nobody but me is able to access those mailboxes and receive or respond to the validation messages. This seems to be confirmed because PayPal claims none of the accounts I've checked on are in fully activated status. Though some clearly got farther through the activation process than PayPal would have me believe they can.
Ultimately the only way to shut down these accounts is if I spend hours on the phone across days of multiple calls to get properly escalated to someone with actual power. And then demand each one individually be shut down.
Re:Paypal account authentication security is CRAP! (Score:5, Insightful)
Ultimately the only way to shut down these accounts is if I spend hours on the phone across days of multiple calls to get properly escalated to someone with actual power. And then demand each one individually be shut down.
Since you control the email addresses to which they are registered, you could go to paypal's website, enter the email address and request a password reset be sent, then log into the account and deactivate it.
Re: Paypal account authentication security is CRAP (Score:1)
I did do password reset on one that started getting monthly statements. So I could read the statements and confirm there was no real activity. Left it just to see what more happens. But youâ(TM)re right, this is probably the best way to shut them down.
How? (Score:3)
How did the criminals send the emails from one of PayPal's IP addresses? Presumably PayPal's own mail server added the DKIM signature.
To me, this is the most important question and it seems to have been glossed over in the article.
Re:How? (Score:5, Insightful)
The emails are authentic and coming from PayPal's actual servers because they're using a legitimate feature of PayPal to send an real invoice. The clever trick here is that they're also using a BCC feature of the invoice.
A PayPal business account can send an invoice to a customer saying they are to be paid money for something. That invoice can be sent to a certain recipient, with the option to BCC other email addresses. In the case of this scam, they're sending the invoice to a fictitious user named "PayPal User" with an email address of billing.dprt@paypal.com, but if you don't read the invoice extremely carefully, it looks like the invoice is being sent from that address (under "Bill to"). That email bounces, but it doesn't matter since you were BCC'ed on it.
I don't fall for anyphishing messages (Score:2)
Re: (Score:2)
Free Survey Sites That Pay Through PayPal (Score:1)