Does a new phishing scam allow PayPal accounts to be taken over?

An alleged new phishing attack against PayPal users is causing a stir. Using a specially prepared email distribution list and a fake request for money, criminals are said to be able to hijack their victims' PayPal accounts. heise security was unable to confirm the attack, however.

Unknown persons sent Carl Windsor, the CISO of US firewall manufacturer Fortinet, a strange phishing email in December 2024. It was a payment request from a PayPal user, but it was sent to a completely different email address than that of the security professional. This made Windsor suspicious and he investigated.

Registered on mailing list

Apparently, the attackers had found out his email address and entered it on a mailing list. To do this, they used an account with Microsoft's cloud service M365 – whose reputation with email servers helped the phishers to get past spam and malware filters.

They then sent a payment request for almost 2,200 US dollars to the mailing list prepared in this way via a PayPal account that they controlled. The trick: if the recipient of such an email clicks on the link to pay the claim, the email address of the mailing list is added to their PayPal account. At least, this is the impression given by the PayPal login page, which states: "We will add angreifermail@angreifer.de to your PayPal account when you log in."

If the victim logs in to PayPal to reject the supposedly erroneous payment request, the trap snaps shut – according to the theory. In the next step, the phishers could have used the newly added e-mail address to set a new password and thus hijack the PayPal account, Windsor suspects.

However, we were unable to replicate this attack in our own tests with several PayPal accounts. Although the message to add an email address appears in our tests using a desktop browser, this does not happen. Neither when the abusive payment request is rejected nor when the victim accepts it and actually makes a payment. To be on the safe side, we set up a new PayPal account – here, too, we were unable to successfully carry out the phishing attack.

It is unclear why the attack did not work in our tests. It is possible that PayPal has fixed the vulnerability since Windsor's test in early December. Neither PayPal nor the Fortinet CISO responded to an inquiry from heise Security on Thursday.

Caution when receiving payments

However, the situation is somewhat different for incoming payments – when the phishing attackers "mistakenly" transfer an amount to the victim. As soon as the victim receives a payment to an e-mail address prepared in this way, they go through a different process: After logging in, a full-screen pop-up appears asking for confirmation of the additional email address for the PayPal account. With clever social engineering, it may still be possible for criminals to trick individual victims, but the conspicuous confirmation message represents a high hurdle.

The payment provider PayPal recently hit the headlines because its subsidiary Honey and its browser plugins came under suspicion of fraud and many cooperation partners withdrew coram publico.

(cku)