Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

PayPal Phishing Campaign Employs Genuine Links to Take Over Accounts

Fortinet warns of a phishing campaign that uses legitimate links to take over the victims’ PayPal accounts.

Phishing

A new phishing campaign relies on legitimate links to trick victims into logging in and giving attackers control of their PayPal accounts, Fortinet warns.

The phishing emails inform the intended victim of a payment request, providing legitimate-looking details, such as an amount and transaction ID, and even contain warnings that one would typically find in an email from PayPal.

Furthermore, the messages come from a genuine PayPal address and contain a genuine URL, which allows them to pass security checks and makes them appear legitimate.

When the victim clicks on the link, they are taken to a legitimate PayPal login page that shows a request for payment, which could scare a panicked person into entering their credentials to learn more about the transaction, Fortinet says.

If the user attempts to log in, however, the page automatically links the victim’s PayPal account with the email address of the phisher, which is actually displayed in the phishing email’s ‘To:’ field, and which in the instance analyzed by Fortinet was ‘Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com’.

According to the security firm, a threat actor appears to have registered a Microsoft 365 domain, likely a test one, which is free for the first three months, and then created a Distribution List containing the email addresses of their intended victims.

“On the PayPal web portal, they simply request the money and add the distribution list as the address,” Fortinet explains.

Next, the request is distributed to the victims and the Microsoft 365 Sender Rewrite Scheme rewrites the sender, allowing the emails to pass the SPF/DKIM/DMARC checks.

Advertisement. Scroll to continue reading.

Next, as soon as the victim clicks on the link and attempts to log in to their account, the attacker’s email address is linked to the victim’s PayPal account.

“The scammer can then take control of the victim’s PayPal account—a neat trick. It’s so neat, in fact, that it would sneak past even PayPal’s own phishing check instructions,” Fortinet explains.

Because everything in the phishing emails seems perfectly valid and because the attack does not use traditional phishing methods, users can protect themselves only by being wary of unsolicited emails, regardless of whether they look genuine or not.

“This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves—and your organization—safe,” Fortinet notes.

Related: Defense Giant General Dynamics Says Employees Targeted in Phishing Attack

Related: Microsoft Disrupts ONNX Phishing Service, Names Its Operator

Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities

Related: Rising Tides: Wendy Nather on Resilience, Leadership, and Building a Stronger Cybersecurity Community

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.