When is a phishing attack not a phishing attack? That is the question posed by Fortiguard’s chief information security officer after he was targeted by a new attack using a legitimate PayPal feature from a legitimate address with a seemingly legitimate URL as well. Here’s what you need to know about the “phish-free” PayPal phishing attack.
The Evolution Of Phishing Attacks—PayPal Users Now In The Crosshairs
Phishing attacks are getting ever more clever in their approach, as a recent news article highlighting how genuine Google security prompts are being used to scam victims to give up their account credentials revealed. While the do-not-click advice is, as always, the baseline for anti-phishing best practices, it’s no longer good enough when legitimate features are being exploited by hackers in no-phish phishing attackers. Let this example of just such an attack, using legitimate PayPal functionality, be a warning to you: if the CISO of a security company thinks it’s highly dangerous then so should you.
“A genuine email can’t still be a problem, can it?” That’s the question that Fortiguard chief information security officer, Dr. Carl Windsor, posed in a new warning posted to the Fortiguard Labs Threat Research blog, Jan. 8. Reporting how the email in question, purporting to be from PayPal and “the sender address appears to be valid and not spoofed,” and using a genuine PayPal money request feature, could fool his mother, the standard test he uses in such circumstances, Windsor warned that the attack “doesn’t use traditional phishing methods.” In fairness, it sounds pretty fishy to me so far, but let’s explore further to see what Windsor means.
The No-Phish PayPal Phishing Scam
“The email, the URLs, and everything else is perfectly valid,” Windsor explained, and when you click on the link (don’t do that,) the victim is redirected to a PayPal login page showing a request for payment. The trick being employed by the attackers here is that your PayPal account address is linked to the address it was sent to rather than the one it was received at. The victim might not notice that the email was addressed to a user who had registered a free Microsoft 365 test domain to create the distribution list that contained the target emails. By then using the legitimate PayPal payment request feature and using this list as the recipient address, everything looked completely legitimate. Apart from the to: address field, which the victim can easily miss unless they happen to be a chief information security officer, or at least you’d hope not. The payment request, in this case, was for $2,185.96 which is large enough to be profitable at scale yet “small” enough not to raise too much suspicion for many corporate targets.
Mitigating The PayPal Phishless Phish Attack
“The best solution is the Human Firewall,” Windsor said, “someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.”
Elad Luz, head of research at Oasis Security, meanwhile, warned that exploiting a vendor feature and sending from a verified source makes these attacks “difficult for mailbox providers to distinguish from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.”
I have reached out to PayPal for a statement.
