Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.
Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions.
Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services.
To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO). Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.
Technically, an email from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email.
An email sent from a financial services provider like PayPal, would increase the probability of the victim seeing and interacting with the email, including acquiescing to its demands for payment.
Examples of fraudulent PayPal invoices
The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name.
The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common phishing emails.
The below screenshot shows the PayPal invoicing service.
In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.
Technical breakdown of the message headers
As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.
Authentication-Results: spf=pass (sender IP is 126.96.36.199)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
188.8.131.52 as permitted sender) receiver=protection.outlook.com;
Threat Mitigation Steps
Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.
In order to not fall victim to similar types of email-delivered invoice fraud we recommend:
- Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices.
- Always verifying the authenticity of an invoice with the actual purchase order.
- If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request.
- Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders.
- Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.