Pierluigi Paganini
January 11, 2025
Fortinet uncovered a phishing campaign targeting PayPal users. The scheme employs legitimate links to deceive victims and gain unauthorized access to their accounts.
The phishing emails mimic PayPal notifications, including payment details, warnings, a real PayPal sender address, and a genuine URL to bypass security checks.
Upon clicking the link, the recipients are directed to a legitimate PayPal login page that shows a payment request. A panicked user might log in, but this links their PayPal account to the phishing email’s fake address, not where it was received, allowing account compromise.
“A panicked person may be tempted to log in with their account details, but this would be very dangerous. It links your PayPal account address with the address it was sent to—not where you received it.” reads the report published by Fortinet. “In this case, PayPal thinks it sent this request to Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com”
According to the researchers, the scammer appears to have registered an Microsoft 365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing the emails of the victims.
Then scammers request the money through the PayPal web portal by adding the distribution list as the address (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com).
“This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check.” continues the report. “Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account. The scammer can then take control of the victim’s PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions.”
Users can protect themselves by staying cautious of unsolicited emails, even if they appear genuine.
“The beauty of this attack is that it doesn’t use traditional phishing methods. The email, the URLs, and everything else are perfectly valid. Instead, the best solution is the Human Firewall—someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look.” concludes the repor. “This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
