A recent PayPal phishing scheme uses email notifications from the legitimate PayPal service address to trick users into giving attackers control of their accounts, Fortinet CISO Carl Windsor reported in a blog post Wednesday.
Windsor wrote that he received a suspicious email last month that came from the legitimate [email protected] email address but had a different address than his own in the “to” field. The email was a payment request for more than $2,000 with a link that led back to the legitimate PayPal website.
Many users would likely click the link and log into PayPal in order to reject the suspicious payment request, Windsor noted, but this would lead the attacker to gain control of the victim’s PayPal account. Windsor went on to explain how the attacker pulls this off without the need to write and send any phishing emails from their own address, or link back to their own malicious website.
The strange email address in the “to” field of the email, which comes from an onmicrosoft.com subdomain, is both an attacker-controlled email address and the name of an email distribution list set up by the attacker, which contains the emails of targeted victims.
By setting up a Microsoft 365 test domain, which Windsor noted can be obtained with a three-month free trial, the attacker can create both the email address and the craftily named distribution list, and then use PayPal to send a payment request to that email address.
PayPal’s system will believe it is sending the request only to the provided email address, when in reality, all of the addresses on the mailing list will receive the request. However, because the request is tied to the attacker-controlled email address, if a victim logs in through the link in the email, PayPal will link their account to that email address.
The attacker can then have a password reset request for the victim’s account sent to their own email address, potentially taking control over the account. This attack requires the attacker to already know the victim’s email address, and could be thwarted if the target has multi-factor authentication enabled on their PayPal account.
“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall — someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look,” Windsor wrote.
A vigilant user would likely notice that the log-in page accessed by clicking the link in the email states that a new email address will be linked to their account when they log in. And while traditional email filters will likely miss this phishing attempt due to the use of trusted email addresses and links, setting up custom rules in email security software that flag combinations of elements — such as PayPal, onmicrosoft.com and payment requests — can help block specific known schemes like this one.
PayPal is not the only legitimate service to have its email notification system exploited in phishing attempts.
Last year, threat actors used GitHub’s email notification system to send phishing emails by tagging targeted users in comments written to appear like emails from GitHub staff. When a user was tagged, they would receive an email from [email protected] containing the text of the comment, which could appear like the actual email body to the victim. Last month, attackers also used Google Calendar invites with manipulated sender headers to trick users into clicking malicious links. The email invites were sent through the legitimate Google Calendar service and designed to look like invites from legitimate individuals or brands.
