For cybercriminals engaged in phishing, the key question is – how do they get the malicious email past the email security measures? After all, most email service providers are good at spotting, and blocking, spam and phishing emails.
Cybersecurity researchers from Avanan have now uncovered that some hackers have gotten quite creative, using payment service providers such as PayPal to distribute phishing (opens in new tab) emails via fake invoices.
What they’ll do is create a phony PayPal (opens in new tab) account, and impersonate a major brand. Creating a PayPal account is quick, easy, and most importantly – free. Then, they’d send malicious invoices and requests for payment directly from the service.
Calling the scammers
Given the (legitimate) nature of PayPal, email service providers can do nothing else but let the email through.
The invoice will look legit. It will have the brand logo, proper wording, but also – a phone number for the victim to call.
Unless they ignore the invoice altogether, there are two things the victims can do: either pay the invoice, or call the listed phone number. Avanan calls this attack a “double spear”, as in some cases, not only will the hackers have the victim’s email, but also their phone number, which can later be used for new attacks.
Less than two weeks ago, the researchers notified PayPal of the campaign. The payment service provider is yet silent on the matter, so how they decide to tackle the problem, remains to be seen.
The researchers suggest everyone that, before calling an unfamiliar service, run a Google search on the number listed with the invoice and check the accounts to see if there were any charges. They should also implement advanced security on their endpoints (opens in new tab), that looks at more than one indicator, to determine whether the email is malicious or not, and encourage users to ask their IT support, if they’re not sure about an email’s good intentions.
- Keep your internet traffic to yourself with the best firewalls (opens in new tab) right now