Cybercriminals have deployed a new PayPal-involved email phishing attack – minus the phishing part – warns Fortinet’s head of security.
Fortinet CISO Carl Windsor wrote about the latest PayPal-linked social engineering scam in a company blog post on Wednesday, in which the cybersecurity firm's chief security officer said, “immediately set off alarm bells.”
The attackers’ malicious email scheme, where Windsor was the intended victim, centers around PayPal’s “Send and Request” money feature.
Rating phishing scams using the acronym WWMMD (What would my mother do?), Windsor said the 'so-called' phishing attack first piqued his curiosity after noticing the email sender had used what appeared to be a genuine PayPal email address and PayPal login URL.
Because attackers can spoof an email address quite easily, most people are taught to be on the lookout for emails from an unknown sender or one from an invalid email address.
The same goes for checking that a link is legitimate before clicking on it – better yet, it is recommended to never open links pasted in an email, especially appearing to be from a known company or brand, and instead retype the URL in your browser for safety.
“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid,” Windsor said in his post.
How did the attackers pull it off?
In this case, the attackers were able to circumvent the system, so to speak, and send Windsor a fraudulent email requesting money coming from the genuine PayPal email address “service[@]paypal.com.”
Windsor believes first, the scammers “simply registered an MS365 test domain, which is free for three months, and then created a Distribution List containing victim emails.”
To note: Microsoft 365 user email accounts, by default, use the domain “onmicrosoft.com."
Next, the attackers appear to have gone to the PayPal web portal, hit the 'Request money from anyone' tab, and pasted the 'distribution list' email address in the ‘who to request from’ bubble on the page.
The CISO says once completed, "the money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender" address to one that will pass the SPF/DKIM/DMARC email authentication protocols checks – instead of being flagged as malicious.
Legitimate login URL is a ruse
Inside the email, the attackers also include a seemingly legitimate PayPal URL link (https: www.paypal[.]com/sign-in/?), which, when clicked, directs the user to the actual PayPal sign-in page, the CISO explained.
Windsor says for those who “panic” seeing a request for money and want to log into PayPal to see what’s happening – as soon as the victim clicks on the sign-in URL and logs into their PayPal account, it becomes automatically linked to the attacker's account.
“The scammer can then take control of the victim's PayPal account – a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions,” Windsor said.
Preventing a non-traditional phishing attack
The Fortinet CISO says the best way to prevent a phish-free attack is with a "Human Firewall,” which he defines as “someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.”
Windsor says the easiest way for savvy security folk to bypass these unconventional attacks would be to create a data loss prevention (DLP) rule containing certain parameters that would flag any email messages “being sent via a distribution list.”
Windsor suggested when creating a “match all" scan rule to include the following conditions:
- Sender contains omnimicrosoft.com
- Header contains From “service[@]paypal.com”
- Subject contains money
And, while your mother is unlikely to don the characteristics of a human firewall, there are still some things to remind her of (and yourself) to help ward off any kind of phishing attack, according to PayPal.
The P2P platform stresses being wary of emails from unknown senders or ones that use generic greetings. Next, you should always check the validity of a link before clicking on it by hovering your mouse over it to check the website address. Additionally, always be cautious of opening unknown attachments, especially ones from businesses you are not familiar with.
And finally, users should always be suspicious of emails that convey a sense of urgency, one of the surefire indications of a social engineering attack.
Your email address will not be published. Required fields are markedmarked