A new phishing technique exploiting PayPal’s money request feature has been identified, using a legitimate PayPal money request that may appear genuine to recipients.
According to a new advisory by Fortinet, the scammer registered a free Microsoft 365 test domain and created a distribution list containing the targeted email addresses. A payment request was then initiated via PayPal, with the distribution list used as the recipient address.
How the Attack Works
When the request was sent, Microsoft’s Sender Rewrite Scheme (SRS) modified the sender address to bypass email authentication checks, making it appear valid. In addition, the email, URL and sender address passed PayPal’s security checks, deceiving users into believing it was legitimate.
If the recipient panicked and logged into their PayPal account through the provided link, the scammer gained access to their account.
Read more on email security: Critical Infrastructure at Risk From Email Security Breaches
“Standard phishing methods typically require threat actors to craft and deliver emails to a wide audience,” commented Elad Luz, head of research at Oasis Security.
“In this case, however, the threat actors exploit a vendor feature to deliver their messages. The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request. This makes [it] difficult for mailbox providers to distinguish [them] from genuine communications, leaving PayPal as potentially the only entity capable of mitigating the issue.”
Defending Against Phishing Threats
To defend against such threats, Fortinet emphasized the importance of a well-trained “human firewall.” Employees should be educated to scrutinize all unexpected payment requests, even when they appear legitimate.
Additionally, the company recommended using data loss prevention (DLP) rules to detect such attacks. A DLP rule can be configured to flag emails involving multiple recipients from a distribution list, helping identify and block these phishing attempts.
“Using neural networks to analyze social graph patterns and other advanced AI techniques in more modern security tools helps spot these hidden interactions by analyzing user behaviors more deeply than static filters,” added Stephen Kowski, field CTO at SlashNext.
“That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks. A thorough inspection of user interaction metadata will catch even this sneaky approach.”
Image credit: Nuttapong punna / Shutterstock.com