Clever PayPal attack dodges phishing checks to take over accounts
Research by Fortinet has uncovered what it terms a 'phish-free' PayPal phishing attack that seeks to trick the unwary into giving up control of their account.
It starts with an email request for payment that appears to come from a valid email address. Click the link and you're taken to a PayPal login page showing a request for payment. This is where it gets clever because if you do login your account gets linked to the address the email was sent to -- not the one you received it on.
The scammers achieve this trick by setting up an MS365 distribution list containing the email addresses of the targets. On the PayPal web portal, they then simply request the money and add the distribution list as the address.
Login and the distribution list address is linked to your PayPal account, once this has happened the scammer is able to take control of your account.
"What's interesting about this attack is that it doesn't use traditional phishing methods," says Dr. Carl Windsor, CISO at Fortinet. "The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall -- someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look."
The lesson therefore is that you should always be wary of unexpected requests for payment, though it’s easy to see how in busy accounts departments these attacks could slip through the net.
Elad Luz, head of research at Oasis Security, adds:
Standard phishing methods typically require threat actors to craft and deliver emails to a wide audience. These methods are relatively easy for mailbox providers to detect and block, as they can be quickly identified by their origin and content.
In this case, however, the threat actors exploit a vendor feature to deliver their messages. The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request. This makes them difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.
You can read more on the Fortinet blog.