Paypal phishing: "New address" function misused
A current phishing scam uses Paypal's change of address function to bypass server-side spam filters.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
A current phishing scam abuses a function for address changes and additions in Paypal in order to slip past server-side filter mechanisms. In order to tempt victims to act rashly, the emails refer to expensive purchased items that would be related to the address change.
The online medium BleepingComputer reports on the scam. On Reddit, users write about emails from PayPal stating that the recipients have added a new address to their account. The email is a short confirmation that the new address has been added to the PayPal account.
Paypal phishing scam: sending goods to a new address
The rest of the email text claims that an expensive purchase will be sent to the new address, specifically a Macbook M4 Max. If recipients have not authorized this update, they should call a telephone number provided. However, as BleepingComputer reports, the scammers are hiding behind the number. They want to trick callers into believing that their PayPal account has been hacked and that they can regain access and reverse the alleged transaction by starting certain software.
However, a ConnectWise ScreenConnect client is waiting on the website provided by the fraudsters, which gives the attackers access to the computer. BleepingComputer stopped at this point, usually fraudsters with such access then steal money from bank accounts, install malware or copy sensitive data from the computer, the authors explain.
Videos by heise
The sender address "service@paypal.com" in the scam emails looks authentic. They also appear to originate from the PayPal network and can bypass security measures such as DKIM and spam filters. The phishing emails refer to "gift addresses". The fraudsters have set up their own PayPal account with such an address. By pasting the text of these emails into the "Address 2" field, BleepingComputer was able to recreate that the emails look exactly like the phishing emails.
The fraudsters used another lever to send them to a large number of recipients. The email headers indicated that the emails were automatically forwarded to an email address belonging to a Microsoft 365 tenant. The address there presumably hosts a mailing list on which the email addresses of the phishing email recipients are listed. By providing the address with the mailing list, the fraudsters are able to send authentic-looking phishing emails that can bypass various protection mechanisms. BleepingComputer suggests, for example, limiting the length of the address form fields so that no message texts can be inserted there.
Phishing remains one of the biggest threats online. Google, on the other hand, recently added new AI functions to the Chrome web browser for safer web browsing.
(dmk)
