Earlier this afternoon I received the following email from PayPal:
I didn't initiate a Bitcoin buy through PayPal for that -- or any -- amount. I logged in to PayPal directly (not using links in the email) and confirmed as much.
So it became clear this was a phishing email. As I started to investigate, I found a few interesting details.
Mail routing and reply-to address
This was the first eye-opening moment. Most phishing attempts come from an obviously bogus email address. However, in this case I checked the email envelope (i.e. gmail allows you to view the raw email via "Show Original") and found:
~~~ Return-Path: [email protected] Received: from mx1.phx.paypal.com (mx2.phx.paypal.com. [66.211.170.88]) by mx.google.com with ESMTPS id y-xx.32.2022 for [email protected]
Received-SPF: pass (google.com: domain of [email protected] designates 66.211.170.88 as permitted sender) client-ip=66.211.170.88; ~~~
In other words, this email actually originated from PayPal. It passed through PayPal's mail transfer agent (MTA) systems and, as such, was allowed in by Google's MTA systems. Not good.
Suspicious links
This was the second eye-opening moment. Most phishing attempts include links that point to an obviously bogus domain. However, in this case, I copied the links (i.e. copied the link locations; I didn't click on them) and pasted them into a text document for analysis.
~~~ $ hexdump -Cv suspect.txt | head -3 00000000 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 61 79 70 |https://www.payp| 00000010 61 6c 2e 63 6f 6d 2f 69 6e 76 6f 69 63 65 2f 70 |al.com/invoice/p| 00000020 61 79 65 72 56 69 65 77 2f 64 65 74 61 69 6c 73 |ayerView/details| ~~~
These are real links that actually point to PayPal's HTTP servers. At first I was thinking they did a visual domain trick like replacing "l" (lowercase L) with "I" (capital I), but that's not the situation at all.
The scam
What the hell is going on, then? If the email originated from PayPal and points to real PayPal links, then what is the scam?
As it turns out, the only thing in the email that's not real is the phone number provided in the customer notes. Whoever did this is counting on confused (and non-technical) users to get frustrated and call the number provided in the email. At that time they'll be ripped off one way or another (credit card details, personal information, login credentials, seed phrase, or whatever else).
Following up with PayPal support
I called PayPal right away (using their real number, not the one in the email), because this is probably the most sophisticated phishing attempt I've seen. What they explained on the phone is:
- This is a known issue that is "being investigated"; essentially, their invoice feature is being abused
- Bad actors are creating PayPal accounts and then sending invoices to other "random" PayPal users
- If the recipient clicks the "View and Pay Invoice" link, and then authenticates to PayPal, the bogus invoice will appear in their account
Of course, one can dispute a bogus invoice. So I believe the real attack vector here is basic social engineering. Again, the bad actors are counting on less patient, less technical people to panic and call the phone number in the email.
Be cautious out there. Phishing / social engineering just keeps getting more effective.
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments