A new phishing campaign relies on legitimate links to trick victims into logging in and giving attackers control of their PayPal accounts. The phishing emails inform the intended victim of a payment request, providing legitimate-looking details, such as an amount and transaction ID, and even contain warnings that one would typically find in an email from PayPal. The messages come from a genuine PayPal address and include a genuine URL, which allows them to pass security checks and makes them appear legitimate.
When the victim clicks on the link, they are taken to a legitimate PayPal login page showing a payment request, which could scare a panicked person into entering their credentials to learn more about the transaction. If the user attempts to log in, the page automatically links the victim’s PayPal account with the email address of the phisher, which is displayed in the phishing email’s ‘To:’ field and which, in the instance analyzed by Fortinet, was: ‘Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com’.
According to Fortinet https://www.fortinet.com, a threat actor appears to have registered a Microsoft 365 domain, likely a test one, which is free for the first three months, and then created a Distribution List containing the email addresses of their intended victims.
“On the PayPal web portal, they simply request the money and add the distribution list as the address,” Fortinet explains. Next, the request is distributed to the victims, and the Microsoft 365 Sender Rewrite Scheme rewrites the sender, allowing the emails to pass the SPF/DKIM/DMARC checks. Next, as soon as the victim clicks on the link and attempts to log in to their account, the attacker’s email address is linked to the victim’s PayPal account.
“The scammer can then take control of the victim’s PayPal account, which is a neat trick. It’s so neat that it would sneak past even PayPal’s phishing check instructions,” researchers explain. Because everything in the phishing emails seems perfectly valid and because the attack does not use traditional phishing methods, users can protect themselves only by being wary of unsolicited emails, regardless of whether they look genuine.
“This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves and your organization safe,” Fortinet notes.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5207428251321676122
Comments