Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
This week, Tessian’s threat intelligence researchers detected a relatively sophisticated phishing attempt impersonating PayPal, the global payment services provider. The threat actor sent an email requesting action from the victim, prompting them to click on the login button, leading to a malicious website.
The email that was received
Social engineering-based cyber attacks like this, usually leveraging a form of phishing via email, have become a common phenomenon both at work and in our personal lives. Threat actors are able to perpetrate these attacks through a range of techniques, leveraging information gathered by random coincidence or through open source intelligence (OSINT) tactics.
In fact 70-90% of all successful breaches are attributed to social engineering, with 96% of all phishing attacks delivered via email. This is why advanced phishing attacks are seen as a growing cybersecurity challenge.
Phishing attempts are used for a range of cybercriminal objectives, for example delivering malware including ransomware onto unsuspecting victims’ computers. Often phishing campaigns are also waged for the harvesting of credentials to execute an account takeover (ATO) attack.
They’re difficult to spot, too. Phishing attempts can appear to be very legitimate, even to the trained eye.
The phishing attempt targeted PayPal customers, and used common phishing tactics, including leveraging corporate logos hosted via a third-party service provider, and creating a sense of urgency by stating that “Your PayPal Account Has Been Temporarily Restricted”.
But, when you actually click “Login to PayPal” as instructed, you’re directed to
hxxps://me2[.]do/xZD4rPKB
Which redirects to
hxxps://docs[.]05fmxoujyghzb[.]club/tmp/index/wildtt.php?97giuywdae
Despite the unusual URL, the landing page looks legitimate, and will prompt users to enter their login details. This information is then captured by cybercriminals in a scheme known as credential harvesting.
Just as every effort was taken to make the webpage look legitimate, every effort was also taken to mimic the authenticity of a legitimate PayPal customer email, including:
The email source points to linkpicture[.]com domain, a used free image hosting service. The primary reason for using a free service like this? It enables the threat actor to avoid any tie-backs to personal infrastructure, which enables a relatively high degree of anonymity and separation for carrying out the attack.
The threat actor also used quoted printable encoding inside key email fields and sections of the HTML body of the email – a common tactic for obfuscating spam filters. Web browsers automatically decode this encoded text to readable text displayed to the end user.
Sender
When adding the display name the attacker attempted to double encode part of it but this didn’t work which is why the first string does not fully decode.
Impersonating well-known and trusted brands like PayPal is a common modus operandi for phishing attacks. According to Tessian research and the analysis of 2 million malicious emails, Microsoft, Amazon, and Zoom all ranked among the top most impersonated brands. Likewise, the financial services sector tends to be heavily targeted in phishing attacks.
The threat actor also used what appears to be legitimate footer links from PayPal to enhance the appearance of authenticity of the phishing email – another common tactic observed in phishing attempts. The links included however are empty and have no URL included.
The HTML body contains the name of a UK based retailer “Sainsbury’s” indicating the reuse of this template for likely earlier phishing attempts, targeting a different retailer’s customers. The threat actor has, in this instance, forgotten to update the information. There might be utility in purchasing similar phishing templates off the dark web to identify phishing attack trends and indicators.
It also pays dividends for organizations to stay aware of how email security threats are evolving, with threat actors continuously adapting social engineering methods to bypass legacy, rule-based email security controls. Educating employees about threats and how to spot them is important, too.
Now that we’ve examined this particular example, we need to address what you should do if you suspect you’re being targeted by a phishing attack.
