Threat actors have been leveraging the online payments system PayPal to send malicious invoices directly to users through the platform.
The campaign was recently discovered by security researchers at Avanan, a Check Point company, who said it was different from previous campaigns seen by the company.
“This is different from the plenty of attacks we’ve seen that spoof PayPal. This is a malicious invoice that comes directly from PayPal,” reads an advisory published earlier today.
The phishing email seen as part of the malicious campaign warned users that there had been fraud on the account and threatened a fine of $699.99 should the victim not take action.
However, Avanan marketing content manager Jeremy Fuchs wrote that the body of the email could alert some cautious users that the email was not authentic.
“First, the grammar and spelling is all over the place. Second, the phone number they list is not related to PayPal.”
At the same time, Fuchs said some users may still decide to call the phone number to get more information about the email.
“The general goal is to call the number or follow up for more details. If you call that number, now they have your cell phone number and can use it for more attacks. And it’s another chance to scam you on the phone.”
According to the Avanan team, the perks of using PayPal for threat actors are several, including the ability to send many invoices at a time and make them professional-looking.
“Beyond that, the email comes directly from PayPal. The email itself is not malicious–there are countless legitimate invoices sent via PayPal every day. An email coming from service@paypal.com will pass all SPF, DKIM and DMARC checks.”
To guard against attacks like this, Avanan recommends security teams research phone numbers found in emails before calling them. They should also implement advanced methods to ascertain whether an email is clean and encourage a culture of transparency for users to ask for help from IT if necessary.
The campaign spotted by Avanan comes weeks after PayPal notified thousands of US customers that their logins were compromised over a month ago.