PayPal users are warned about new non-phishing attacks.
Update, January 11, 2025: This story, originally published on January 9, now includes comments from a number of security experts, as well as a statement from PayPal and further information about mitigating phishing for users.
When is a phishing attack not a phishing attack? That’s the question posed by Fortiguard’s chief information security officer after he was targeted by a new attack using a legitimate PayPal feature from a legitimate address with a seemingly legitimate URL as well. Here’s what you need to know about the “no phish” PayPal phishing attack.
Evolution of phishing attacks – PayPal users are now in question
Phishing attacks are getting smarter in their approach, as a recent news article was revealed highlighting how genuine Google security requirements are being used to trick victims into giving up their account credentials . While the no-click advice is, as always, the basis for anti-phishing best practices, it’s no longer good enough when legitimate features are exploited by hackers in non-phishing attackers. Let this example of one such attack, using legitimate PayPal functionality, be a warning to you: if the CISO of a security company thinks it’s too risky, then you should too.
“A real email still can’t be a problem, right?” That’s the question that Fortiguard’s chief information security officer, Dr. Carl Windsor, laid out in a new warning posted on the Fortiguard Labs Threat Research blog on January 8. appears to be valid and not spoofed,” and using a genuine PayPal money request feature could fool his mother, the standard test he uses in such circumstances, Windsor warned that the attack “does not use methods traditional phishing methods”. Honestly, it sounds pretty weird to me so far, but let’s dig further to see what Windsor means.
Phishing scam without Phish PayPal
“The email, URLs and everything else is completely valid,” Windsor explained, and when you click on the link (don’t), the victim is redirected to a PayPal login page that shows a payment request. The trick used by attackers here is that your PayPal account address is linked to the address it was sent to, not the one it was received at. The victim may not realize that the email was addressed to a user who had registered a free Microsoft 365 trial domain to create the distribution list that contained the targeted emails. Until then using PayPal’s legitimate payment request feature and using this list as the recipient address, everything seemed completely legit. Except for the to: address field, which the victim can easily miss unless they’re a chief information security officer, or at least you wouldn’t hope. The payment request, in this case, was for $2,185.96, which is large enough to be profitable at scale, but “small” enough not to raise too much suspicion for many corporate targets.
Hiding PayPal without the usual phishing tactics.
“As a trusted commerce platform, PayPal takes pride in our work to protect our customers from scams and emerging fraudulent activity, including this common phishing scam,” a PayPal spokesperson said, “We encourage customers to stay always be vigilant online, especially this time of year, and visit PayPal.com for additional tips on how to protect yourself.”
Security experts speak openly about PayPal’s latest attacks
A number of security professionals have now spoken about the latest attack methodology being used by these PayPal threat actors. While we recognize that standard phishing methods, which typically require threat actors to craft malicious emails that are sent to a wide audience, are relatively easy for email platforms to detect and block, this one is not that’s the case with this no-phishing attack. Elad Luz, head of research at Oasis Security, meanwhile, warned that exploiting a vendor feature and sending from a verified source makes these attacks “difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as the only entity capable of mitigating the problem.. Recognizing that there would be a trade-off between delaying PayPal transactions to allow more time for fraudulent activity to be detected. and maintaining customer satisfaction by promptly processing payments, Luz concluded: “I believe PayPal will strike the right balance to address this challenge effectively.”
Experts at managed e-commerce hosting provider Hypermode have also warned of other common PayPal scams that users should be sure to be aware of:
The problem with your PayPal account fraud
A standard phishing trick for support notifications to exploit the fear of account loss.
PayPal Scam Promotional Offer
Cashbacks, discounts on future purchases or online coupons are used as a phishing lure.
PayPal Order Confirmation Scam
Legitimate-looking confirmations of a large purchase direct users to click a link to verify the transaction.
Phish attack mitigation without Phish PayPal
By way of background, PayPal told me it takes all necessary steps to protect customers as fraudsters constantly evolve their attack methodologies. This includes a number of things, used in combination, such as manual investigations and technology-led defenses. Paypal is also proactive when it comes to limiting accounts and reducing transactions deemed to be potentially risky. PayPal customers have likely already seen some of these fraud detection technologies in action, such as the fraud reminder alerts and tips that come in part with global invoices and peer-to-peer money requests.
“The best solution is a Human Firewall,” Windsor said, “someone who is trained to be aware of and wary of any unsolicited email, no matter how genuine it may seem.”
Email is one of the most common vectors for cyberattacks, including phishing, malware and ransomware, and it’s essential that companies of all sizes have a solution that covers email security. “Neglecting email security can expose a company to significant risks, including data breaches, financial losses and reputational damage,” said Spencer Starkey, executive vice president for the Europe, Middle East and Africa region at SonicWall. “A comprehensive email security solution should include features such as spam filtering, malware scanning, connection protection and data loss prevention. By implementing such a solution, companies can protect their employees, customers and partners from email-based threats and ensure the integrity and confidentiality of their communications.”
Meanwhile, Stephen Kowski, chief field technology officer at SlashNext Email Security+, said that while it’s not new to observe attackers exploiting distribution lists in unexpected ways, PayPal’s twist is a new variation on the theme. “Using neural networks to analyze social graph patterns and other advanced AI techniques in state-of-the-art security tools helps uncover these hidden interactions by analyzing user behaviors more deeply than static filters,” said Kowski, added “that type of proactive detection engine recognizes unusual group messages. patterns or requests that pass through basic controls. A thorough inspection of user interaction metadata will also capture this access to vile.”
As well as resources detailing how to spot a fake PayPal email and how to prevent fraudsters from accessing your PayPal account, PayPal advises customers to:
- Be careful when asked to participate in a transaction, especially with someone they don’t know or don’t owe money to.
- Do not pay any unexpected or suspicious invoices or payment requests, but also do not respond to those requests in any way, including sharing personal information.
- If a customer has shared personal information or clicked on a link, they should change their account password and contact PayPal and their financial institution immediately.
- Turn on two-factor authentication.
- Report any phishing emails to PayPal’s security team by forwarding them to phishing@paypal.com and then deleting them.
