Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Links Security The Almighty Buck

PayPal Phishing Scam Uses Invoices Sent Via PayPal (krebsonsecurity.com) 17

Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. Krebs on Security reports: The missives -- which come from Paypal.com and include a link at Paypal.com that displays an invoice for the supposed transaction -- state that the user's account is about to be charged hundreds of dollars. Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer. While the phishing message attached to the invoice is somewhat awkwardly worded, there are many convincing aspects of this hybrid scam.

For starters, all of the links in the email lead to paypal.com. Hovering over the "View and Pay Invoice" button shows the button indeed wants to load a link at paypal.com, and clicking that link indeed brings up an active invoice at paypal.com. Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal. Both the email and the invoice state that "there is evidence that your PayPal account has been accessed unlawfully."

This discussion has been archived. No new comments can be posted.

PayPal Phishing Scam Uses Invoices Sent Via PayPal

Comments Filter:
  • by Anonymous Coward

    Recipients who call the supplied toll-free number to contest the transaction are soon asked to download software that lets the scammers assume remote control over their computer.

    No matter how convincing the scam is, no matter how perfectly legitimate the emails appear to be, anyone with the tiniest big of intelligence will immediately say "Hey wait a minute ... why do I have to install special software to fix a problem with my PayPal account?"

    Anyone tricked by this is beyond stupid and gets what they deserve.

    • Re: (Score:3, Insightful)

      by shentino ( 1139071 )

      Just because gullible idiots are job security for cybercops doesn't mean they deserve the darwin treatment.

      And shame on you for denigrating the vulnerable

      People who take advantage of the weak and helpless, especially those being oppressed, are the most contemptible people in the world and deserve the sharpest of rebukes

      God is compassionate, and even honest enough to warn us not to oppress the helpless, lest he himself hear their cry. He doesn't actually want to retaliate against us, but he will if he

      • by DVK9 ( 9481479 )
        Yes I agree with you that it is a sin to take advantage of those with no active brain cells. What I dont understand is what a semi conscious air breather that can get online but cant understand that there are terrible people out there that want their money. Maybe we need to have a test before ownership to see if they will be allowed a computer.
    • Unfortunately, legitimate support companies also do this. I just ran into a global finance company whose India hosted support personnel try to resolve email issues by getting your laptop's IP address, establishing a remote connection to it, and having you permit them remote console access. Suffice to say that I was startled at a finance company doing this with third party contractors and employee laptops.

  • by shentino ( 1139071 ) <shentino@gmail.com> on Friday August 19, 2022 @07:41PM (#62805267)

    Thank GOD I'm a fresh major in my college's BAS cybersecurity program.

    Without that in-taught instinct I might have fallen for it.

    God bless institutions of education, at least when they do their job.

  • The scam is to "trust" technology to indicate an e-mail is valid, etc. But does it make sense?

    I've had some of these scam e-mails, but I use my "gut feeling" to make a decision. While a plugin, browser says it's safe, what does my gut instinct say? Those that know me will understand if I'm rude, gauche, but the scammers won't.

    People trust technology too much (and this does NOT justify scamming innocents and naive persons...) and don't trust their intuition, what their gut tells them.

    In short, yes the email

  • by umopapisdn69 ( 6522384 ) on Friday August 19, 2022 @08:55PM (#62805337)

    It's no wonder there is phishing coming from fake PayPal accounts. The measures they take to authenticate users have holes you could drive a truck through. And they don't CARE about fixing them. All they care about is having more accounts. Messages to their supposed security reporting emails just trigger a canned autoresponse, and never any effective or even human response.

    Supposedly you can't open a PayPal account without providing an email address, and then prove you can receive messages sent to it. When you register a new account, they send a verification message to your registered email address. You're supposed to have to click a unique link inside that message to prove you have access to the address you provided. But if you don't respond, instead of shutting down the account, they just send repeated pleas to activate. And enticements of the amazing benefits of completing your registration. For days and weeks.

    If you confirm the email address, you're next supposed to similarly supply a mobile number and prove receipt of calls, texts, or such there. Without these validations you're account is supposed to never become active.

    In reality it seems PayPal NEVER shuts down an account that fails to pass its verification screens.

    Over a year ago, an email domain I control started receiving PayPal verification messages in its catch-all mailbox. They are addressed to various random addresses at my domain. Over time, quite a few of them. As though someone is gradually testing their technique. For the life of me I still can't figure out how anyone gains from these.

    At first I ignored the verification requests as spam. But eventually I started checking SMTP headers on the messages. They really are legitimately from PayPal, and not spoofed. Though at various levels some of them do originate from potentially dodgy email marketing partners of PayPal instead of direct from PayPal.

    So I phoned PayPal's support and asked them if these accounts really existed. After multiple calls and attempts to escalate to someone who could understand the situation, eventually I got to someone in security with half a brain. Only half. They did confirm these are real accounts. One of the earliest EVEN HAD A BANK ACCOUNT linked to it!

    When I asked how an unverified account could get so far in the initiation process, they just obfuscated. They claim that even with a linked bank account, they will not permit it the PayPal account to receive funds or to make payments. When I asked how I could trust that is true they had no good answer.

    Because this is my email domain I'm reasonably confident nobody but me is able to access those mailboxes and receive or respond to the validation messages. This seems to be confirmed because PayPal claims none of the accounts I've checked on are in fully activated status. Though some clearly got farther through the activation process than PayPal would have me believe they can.

    Ultimately the only way to shut down these accounts is if I spend hours on the phone across days of multiple calls to get properly escalated to someone with actual power. And then demand each one individually be shut down.

  • by whoever57 ( 658626 ) on Friday August 19, 2022 @09:34PM (#62805413) Journal

    How did the criminals send the emails from one of PayPal's IP addresses? Presumably PayPal's own mail server added the DKIM signature.

    To me, this is the most important question and it seems to have been glossed over in the article.

    • Re:How? (Score:5, Insightful)

      by arosenfield ( 998621 ) on Friday August 19, 2022 @11:33PM (#62805523)

      The emails are authentic and coming from PayPal's actual servers because they're using a legitimate feature of PayPal to send an real invoice. The clever trick here is that they're also using a BCC feature of the invoice.

      A PayPal business account can send an invoice to a customer saying they are to be paid money for something. That invoice can be sent to a certain recipient, with the option to BCC other email addresses. In the case of this scam, they're sending the invoice to a fictitious user named "PayPal User" with an email address of billing.dprt@paypal.com, but if you don't read the invoice extremely carefully, it looks like the invoice is being sent from that address (under "Bill to"). That email bounces, but it doesn't matter since you were BCC'ed on it.

  • I don't fall for any phishing messages as I know I haven't done any business thru most of PayPal sources or others. I'm 65 and have a Phd inBB Detecting. My McAffee account has long overdue fees... lol And I have won a contest from 2010 World Fair and $2,000,000 put on card in Nigeria and I just have to send $150 to release it thru customs...got that one yesterday. lmao

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...