I'm frequently impressed with spammer ingenuity. We had a similar thing happen at a previous job. Users could sign up for a free trial for our software using a web form. The form had fields like "email address" and "name" so we could follow up with the user. Scammers would fill in a victim's email address and some scummy website in the "name" field, resulting in our servers sending the victim an email starting with something like, "Hello, Click Here For Free Money FreeMoney.com," followed by the rest of our marketing copy. Never would've thought to use the form that way...
It doesn't help that dark patterns used by well known websites normalizing the problems. That other day I got a credit card charge notification of $154 from my bank about a charge from Amazon. I didn't buy anything from Amazon recently. I also didn't get any email from Amazon about a bill or a purchase. Logged on to Amazon, looked through the order history, looked through AWS billing, and didn't see any recent charges. I thought my card was stolen and got a fraudulent charge.
By chance I looked into the Prime membership page. An obscure page listed the recent Prime charges. Yep, it's the Prime membership charge. The amount looked odd because tax was added to it, where the old charges were like $119 or $139. Amazon employs a dark pattern of not sending to the users any notification on the Prime renewal, no billing statement, no invoice, no email, just a silent charge on the credit card.
I promptly canceled my Prime membership, not for the money but for not rewarding dark pattern behaviors.
That Prime silent charge problem is also problematic after credit card changes and other adjustments.
Saw the other day a charge get refused on a credit card I cancelled. 3DSecure is mandatory on it, so I kinda panicked thinking I got phished somewhere, but no, it was just Amazon reusing their authorization to charge a year later. I would have actually updated my info if I had a heads up, but now that my membership has been canceled following the charge refusal, it's kind of an occasion to let it go.
>I promptly canceled my Prime membership, not for the money but for not rewarding dark pattern behaviors.
Lucky you who was able to get through the dark patterns in the unsubscribe page. I got one extra charge because the first time I tried, I fell for one of their dark patterns and believed it was canceled while it wasn't.
Oh yeah. The unsubscribe page is a minefield of dark patterns, with innocent links leading to continuing the membership. I was pissed enough by then to pay extra attention to get rid of it.
Due to a recent regulations regarding subscription payment in India, Amazon cannot charge our payment instrument on file directly for subscriptions; It has to go through an intermediate (payment gateway) and the Bank with explicit permission during initial subscription.
Before each subscription payment there after, The Bank reminds us with SMS about the payment and we can cancel it through that. For amount > INR 5000 (~ 60$) each subscription payment has to be approved by the consumer.
Amazon still does employ dark patterns, Like having 'Prime membership cancellation' behind several pages and the final confirmation located in a non-prominent location; But Indians can cancel Prime membership without even visiting Amazon's website.
I wont ever subscribe to Prime again because of their awful UX in trying to cancel.
I gave up and blocked it through my bank and the customer service rep said she had to do the same thing. She also said Amazon will blacklist my credit card ... ummm i dont care I dont and will never subscribe again. Just use a friend or family's account and pick it up from them.
Amazon is stupid for pulling these anti-consumer tricks .. all about bottom line now vs. the future. Stupid!!
I cancelled my Prime for exactly the same reasons.
I don’t think Amazon would be viable today if they dropped their dark patterns and held vendors accountable.
I am at a point where I’d rather go shop at a physical Walmart or Target than buy something from Amazon.com. Driving to a physical store causes me less frustration in 2022.
In the UK (and plenty of other countries, I'm sure) I get a notification for every payment from my banking app and/or Google Wallet (usually both, since I use GPay a lot).
I've had similar experiences where I got charged by amazon for Prime & wasn't sure what it was. They certainly make it hard to find your payment history for Prime renewal.
I run a SaaS where users can create projects and invite other users into their projects. When a user gets invited, the SaaS them an email notification "You've been invited to project such-and-such".
So a spammer created a project, they put their spam message in the project's name, and started to go through their victim list, inviting each into their project. I suppose that's one way to send an email :-)
It's because Mike Hearn retired from the Google anti-abuse team - their bot protections went downhill from there, and now bulk Google accounts sell for a few cents each.
It's easy to make money when you can send out thousands of spam emails, each with hundreds of recipients, for under a cent.
And where do those bulk Google accounts come from? Compromised accounts due to weak/leaked passwords, without 2FA.
What does Google do about them? Making it harder to log in to dormant accounts from new devices and locations. What's the result? Periodic HN complaints on someone unable to access their decade-old dormant account, or an active account with a truly forgotten password, etc.
Anti-abuse is hard. Damned if you do something, damned if you don't.
They could do far more things to solve this issue...
For dormant account reactivation, they can ask the user for lots of details that are in the account. For example, "please type in email addresses of as many people as possible that you have sent emails to from this account". Which cities have you previously logged into this account from?
All info would be optional, but the more the user provides the quicker they're going to get in.
When the user has provided enough information to be fairly sure that it's a real user attempting to login, then start a 7 day countdown. During the 7 days, contact the users top contacted email addresses and ask them to reply confirming the user is trying to reactivate the account.
Hire attackers to try and break into old accounts, and use their input to find the likelihood of each type of information being correctly given by the real account owner and an attacker.
> For dormant account reactivation, they can ask the user for lots of details that are in the account. For example, "please type in email addresses of as many people as possible that you have sent emails to from this account".
Oh. no. I'd rather they just up an deleted the account, instead.
Google is already painful enough to get into old accounts that you haven't used for a while.
For a dormant account, what's the chances that you're going to remember the email address that someone used years ago? People have address books for that, and the address book is locked on the other side of that password prompt.
> During the 7 days, contact the users top contacted email addresses and ask them to reply confirming the user is trying to reactivate the account.
Yeah, nah. That's awful for several reasons.
It's another phishing-like prompt - "Hey joe bloggs is trying to log into their email. Do you think it's really them? Click here to let them into their account".
If you invert it, then you're at risk of someone with a grudge against you clicking the "No, it's an attacker" link. Even a friend clicking it because they think it's funny.
There's no way I'd want most of the people I email to have any involvement in accessing my account, without me being able to nominate specifically whom the system emailed.
God no. I don't think you've thought of the edge cases at all. I have a 2nd email address I use for emergencies and almost never log in, but when I need it, I'm going to need it straight away, not in a week.
Also, gmail should never ever by emailing your contacts! It has no idea what your relationship with them is or what information about your actions you want to keep secret from them.
Back in the day, when online banking used printed TAN-lists as a second factor, phishing sites would ask "Please type in your next 10 TANs". That is what your "please type in as many"-idea reminds me of. :-)
Have you ever tried to recover an old google account? They ask much harder questions than the silly examples you gave. It’s already extremely difficult for legitimate users.
> Making it harder to log in to dormant accounts from new devices and locations.
There is no justification in making it difficult to log in to accounts that have never sent spam, that's the user-hostile part of gmail. They have it in their logs which accounts are sending spam.
When an attacker gets into a dormant account and sends spam, it's because they have already mined all the data in that account... Ie. they've already taken over every account that used that account for password resets, they've already stolen any credit card numbers they could find in the drafts folder or pictures of driving licenses and passports that were uploaded to Google Photos...
Sending spam is the last step... The steps beforehand are much more damaging to the user involved. And, sure, you could blame them for reusing their login password, but not being well versed on computer security isn't widespread, nor a reason to punish them.
And Facebook, for some reason. Which is weird as I've never signed up for any Facebook owned service. Never looked into how they do it, but they keep coming.
I had a form like that. You put in your email and it sends an email from us@foo.com, to us@foo.com, and to them@whatever.com. We had internal mailing lists for clients, including something like all-clients@foo.com, but they were locked down so only certain people could send to them. Turns out us@foo.com was one of those people, and so someone would spam all of our clients by putting their return address as all-clients@us.com. We just took the form down and posted our email address.
The only real solution is not allowing contact form emails to be customized with free text input.
I guess you could have a manual approval loop for "weird" names (more than 30 characters, has a dot in it, etc) or other signs of spam. It would still leave some space for spamming though (I can't imaging a rule that stops "Buy More ETH" but doesn't stop any unusual real name).
I don't know I haven't really probed random contact forms to see if they block this kind of thing.
There's a lot more to do to block this kind of proxy spam entirely for sure I was just talking about the particular problem of using the contact for to send to an mailing list.
I'm sure enough organizations have a mailing list called "customers@company" or "clients@company" to make it worth a shot. Colleges probably have "students@school" or "faculty@school" list.
Might be enough names you can profitably do it by hand.
How did they know the internal mailing list address was all-clients@us.com? Unless I'm missing something, sounds like this would require internal company knowledge.
Add me to the chorus of people that are impressed/scared by spammers.
In a previous life, I worked at a semi-well-known auto publisher site where scammers literally stood up a copy of almost _the entire site_ (ads, functionality, and all) in order to execute an auto escrow scam. We know of at least one instance where a user in the UK was scammed out of ~$10,000-ish using this method.
Democratization of technology at its best (worst?) I guess...
Never trust user input. If a user input value will be used on a page or email or other output, it will be abused once this is discovered. You must sanity check.
Edit: this was already pointed out downthread. Missed it before I posted.
The fact that in 2022 user input sanitation is still such a low hanging fruit for attackers shows that you cannot preach this loud enough or often enough.
As someone with the unfortunate privilege of having an early GMail address with ${FIRST_NAME}.${LAST_NAME}@gmail.com, the fact that your description of the first email you would send your ostensible customers does not sound like a straightforward confirmation email is already a red flag.
I don't think it's unreasonable for even a confirmation email to address the user by their chosen name, but yeah, I guess you're right. This is why we can't have nice things :(
Heh, I did a version of this as the attacker in early Second Life.
In SL, you can create objects and have them speak (via the onscreen text chat window). You were allowed to give them any name, so I would name them after another player, letting me "throw my voice" and impersonate them.
The devs apparently realized this problem early on, and their fix was: objects speak with green text, human players speak with white text. But this isn't disclosed anywhere, and there weren't many speaking objects at the time.
So my workaround was to name an object after another player, wait for them to go afk, and then have the object say, "Hey guys, guys, check this out! I can make my text green! Woo hoo!" And then say all the malicious stuff I wanted them to say.
Yeah. That was also roughly the conclusion of my masters thesis: https://scholarsarchive.byu.edu/etd/7403/ ("After HTTPS: Indicating Risk Instead of Security") -- we examined the flaws of current browser warnings and security messages and one of the big ones is that attackers can use those UIs against you. (Hence our proposed solutions all involved UI above the LoD.)
I once wrote an email to Steve Jobs, saying that operating systems like MacOS and iOS should have a secret phrase or icon that they show to you whenever they show a system-level security dialog. (And of course implement the same restrictions on screenshots of that dialog as they do for movies.)
Because otherwise, an app can totally fake the interface of a security dialog. The only way you know, these days, is that password managers and cookie jars work with the "approved" sites, but they can simply show you a site that doesn't require those, and then fool you into entering your passwords!
Steve never replied to me. And Apple never implemented it.
Windows used to have a "secure attention sequence", CNTL-ALT-DEL, which you had to push when you really wanted to talk to the security functions of the operating system. That stopped being mandatory in Windows 10, due to "customer confusion", although some enterprise configurations turn it back on.
The concept comes from some DoD security projects from around 1980. Microsoft picked it up when Windows NT was being developed. Some DoD systems have also used a brightly colored screen border to indicate the degree of classification of the content. But that's too intrusive for consumer use.
There are so many layers now that it's hard to provide a secure path that can't be compromised.
SAK is controlled by group policy since Windows 2000 and is disabled by default on client SKUs that are not domain member.
On the other hand all current iOS devices have some hardware level SAK-like gesture that directly confirms the user intent to the secure enclave. The overall UX design is such that it is not especially noticeable unless you know that there is such a thing.
It was Bank of America actually, if we're talking about the same thing. Essentially you chose an avatar photo from a pool of several and then when you typed your username it would display that photo alongside your name to prove to you that you were logging into the real BofA site. I can't remember the exact name they used for this feature and Google is failing me.
EDIT: BofA called it SiteKeys. And it looks like they were "useless" according to this article [0]. Someone even wrote a paper on it [1]. Seems several banks actually implemented this concept and then phased it out.
> And it looks like they were "useless" according to this article [0]. Someone even wrote a paper on it [1]. Seems several banks actually implemented this concept and then phased it out.
Okta still does that same trick on their login screens. Since I have several Okta logins, there's no way I would be able to remember which of the 9(?) icons matched with which domain, so I hear you about them being useless. I would be able to spot one of the "wrong" ones, as there are a class of those icons that I would never choose so ... security? :-/
Worse than useless, even if you do check the image they can be MITMed and in no way indicate that you are actually on the site you think you are on (they only help against the lowest effort static phishing sites). US banks decided that they would rather address the perception of insecurity rather than improving security. It isn't their money if someone gets scammed.
These days I think the best way to be sure you are on the correct site is to have the browser store at least the username/email used for a login and never login if the browser won't fill in that info (often saving the password is a good idea too depending on your situation). I've thought it would be helpful if browsers had a "site bookmark" feature that would show you are on a site you had previously labeled while visiting any page on the site, however I'm not aware of any browser actually doing that.
At the OS level a phrase could potentially work since there isn't the same MITM risk, although graphics drivers are complex and there could easily be a bunch of ways the phrase could leak. I wish there was a second small and simple display with at least a couple of buttons for security purposes. Maybe rough for phones but larger devices could do that. Or even two of them, one for communication with the OS and one for accessing credentials. The second could be removable for use with multiple devices. Of course, this comes with accessibility challenges that need to be considered.
This is especially troublesome when you upgrade your OS and all of a sudden a bunch of applications are asking for permissions, with a different UI than you're used to. Even as a seasoned MacOS user (back to System 3!), I can't be sure that the UI I'm seeing is legit.
The worst offender here is Atlassian. Every week, my common-name email address gets added to a new JIRA instance and is relentlessly spammed using the 'you've been made an admin of an organization' or 'you were mentioned on an issue' features. Each time, another phishing or crypto-pumping scam gets delivered by their high-reputation email servers.
I used to work in PayPal's anti-phishing group. In fact I was the first engineer on that group. We definitely understood DNS then. We even helped spearhead SPF and DKIM. And we strongly advocated that emails from the company never come from any domain other than PayPal.com
Unfortunately after eBay bought PayPal, they put MBAs in charge, and the marketing team won every argument about the "necessity" of alternate domains to track marketing initiatives.
They never really took into account the lost reputation of users getting constantly phished.
Thanks for that insight. Curious though, why did they not use a subdomain? Would communications. Or paypal-communications. As a subdomain be worse in their opinion?
Oh man, this is been my exact experience. You can pretty much chart the growth of a company by watching how much marketing is done with in house teams and how much goes to external agencies.
And as soon as the external agencies are involved, they want as much control as possible. I don’t blame them: setting up DNS entries for some stupid marketing site rarely rises to anyones priorities. So they route around internal controls. Everyone is happier, and everything gets slightly worse.
I've yet to see someone be able to handle a delegated subdomain (where you set subdomain.example.com to have NS pointing at the contractor's setup). Too bad, as it's exactly what it was designed for.
We try to get our enterprise clients to delegate a subdomain to us; the answer is almost always no. "You'd be able to change the records! Oh sure, we can do a CNAME." Sigh.
I'm not really sure. Probably something about tools not respecting or ignoring them or "they don't look as nice" or some other silly reason.
Edit: To clarify, there were a lot of good reasons not to allow them to link to a subdomain, especially they were running marketing software made by other companies, because there is a lot of nasty security issues around cookies with subdomains.
But there was no reason for them not to route their outbound email through a single domain, because the weren't supposed to run 3rd party mailers without deep audits.
You generally can't know if a mail is actually from Paypal or not, because they use a huge number of domains to send mails. Just assume everything that says it's from Paypal is fake, much easier.
CIBC sends sensitive emails from "cibc-clientaccountmanagement.com", with an SMTP mail from address of "test@emailservice-inbound-us-prod.adeptra.net" and broken SPF records.
Edit: Is there a website to name-and-shame big companies who screw up SPF/DKIM/DMARC?
I recently got one of these for $847 claiming I owed a payment for purchased Bitcoin. It was disconcerting for sure, because it appears to be a legitimate invoice that you owe a payment for (rather than an attempted fraud that PayPal is making possible). So your mind immediately goes to that your account got hacked in some form, and somebody used it to purchase Bitcoin.
To make matters worse, the invoice sits there in your PayPal account, and you're just a mistaken click or so away from authorizing the charge. Under my "activity" section, it sits right at the very top, forever, under the "Pending" headline (since early July). For whatever reason I can't get rid of it (PayPal killed the actual invoice after a week, they must have noticed the fraudulent activity from that account; but the invoice card summary remains in my activity under pending, perpetually).
Here is what the core of the emailed text looks like:
"You Purchased BITCOIN (0. 054631) for $ 847. 12. Reference Number-N34421979 If you have any concern regarding your order kindly contact us because we are getting lot of complaints regarding fraudulent orders. HELP-DESK (806)440-0799."
It arrives from service@paypal.com with the email subject saying the invoice is from PayPal (rather than being from xyz merchant or similar; which only adds to the concern that a fraud has already occurred within my PayPal account). The text in the email otherwise looks legitimate as I assume it did arrive from PayPal's service. It would be easy for a normal user to fall for the scam.
In their haphazard greed, PayPal slipped up and made their invoicing system too loose, too unconstrained in how it functions.
It’s odd that they put a space in between the decimal and dollar amount. Same as in the OP story. Perhaps run by the same operator. No US person would ever put a space there..it stands out for sure. Perhaps gives us a clue as to the origin of the person running this scam.
> The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums.
Also, phone numbers. My dad (in his 50s and pretty tech savvy) recently received one of these and then called PayPal. Their CS people started asking for remote access to his computer (so they could see how he'd been hacked), which thankfully set off alarm bells big time and he hung up.
He swore up and down that he'd looked up PayPal's number online, that he'd never call a number that arrived in an email, but when we looked at his phone history he'd definitely called the number the scammers had sent.
This was pretty sobering for me. He was 100% sure he wouldn't call a number that arrived in an email. He knew it was the wrong thing to do. But in the panic surrounding the alleged fraudulent charge, he'd forgotten and just called the first number he saw. I like to think I wouldn't do the same, but when it comes right down to it I can't be sure.
> He swore up and down that he'd looked up PayPal's number online
He may have. Scammers seed the fake numbers on various web forums, Facebook business pages, etc.; I see folks try it on StackOverflow fairly regularly. Sometimes there are entire convincing fake websites that come up in Google.
I got one of these emails a few weeks ago. It looked real and passed Gmail's filters but when I logged into my account separately there were no invoices. I had never gotten an invoice from PayPal before so it smelled fishy. Reported it to phishing@.
In truth, you got the best possible experience and it's good that you reported it. Ultimately, what would happen internally is that we'd detect this malicious use and cancel the invoices so it's not possible for the scammer to continue to collect on them--but we couldn't "claw back" the emails that had already gone out. The email looked legit because it was an email from PayPal about a real invoice.
I don't know if they should be more proactive in their communication with folks in this situation and it's been over a year since I left; but, this is not a new issue at all and it's something we would contend with from time to time while I was there.
I got one too and reported it as well. I called the number in the email wondering, trying to figure out scam or legit account compromised. The person who answered initially started saying answer as some other company, debt collection I believe, then corrected to PayPal. To resolve it and report the claim he asked what operating system and browser I used and instructed me to download a Remote Desktop app, which I found fishy and tipped me off it’s definitely phishing. I didn’t say much while I searched the number/figured out if it was common and the guy on the phone got angry yelling “hello??” Several times. I hung up and they called back twice.
I wish I kept the number to call them back and piss them off. Scammers/phishers are soulless entities of this earth.
Yeah this is exactly what happened to me, although I didn't report to phishing. It both looked real and like a phishing attempt and after independently logging into my Paypal account and not seeing anything I concluded it was definitely phishing. Pretty terrible of the Paypal system to allow this to happen though.
Intuit Quickbooks is another service that gets used like this. My mom received some fraudulent invoice from an Intuit Quickbooks user, which was from the legit Intuit domain since it was sent by the service, which claimed that she owed "PayPal, Inc" $600 for something or other. I told her to delete the email and reported the activity to Intuit but never heard back.
I literally received one of these today. When I clicked the spam button in Gmail it asked not just if I wanted to "mark as spam" but also "mark as spam and unsubscribe." I clicked the latter, and it took me to a seemingly real intuit.com url. It was pretty weird and I wasn't sure how the spammers pulled it off. Seeing this article is real serendipity.
Hackers are going through lists of hacked password lists and automated test of each entry, causing tons of gmail/outlook/amazon/paypal/ebay/etc emails.
One way to protect yourself is use a different email address, and only for services.
Many email sites allow custom addresses, so you can create specific emails addresses for each service.
And if your cellphone number is also leaked, get a sms service with a different phone number.
I get it from outlook.com multiple times a day for a password reset. Assuming a six digit code, they do this 1M times a day across multiple accounts to get around per account throttling, they'll get one success. If they aren't using a secure random number generator, they get increase the probability if they can predict the random number seed.
Stupid idea: Generate ~8 words... and shove them into GPT-3 to create a ~100 word novel, and make that your security code. Suddenly your security code is about a bearded elf, riding a cucumber, wielding a unicorn to defeat ice cream. Try guessing that.
PayPal offers using SMS to login as a one-time code, without the use of a password. So it's not like a 2fa code where you need to know a secret before verifying you have access to a token (SMS code), it just skips to sending you the code if you have the email or phone number.
And they come from the right short-code as my legitimate requests.
Just noticed my legitimate requests are in the form of “PayPal: xxxxxx is your security code. It expires in 10 minutes. Don't share this code with anyone.”
But the last one I didn’t request didn’t have an expiration mentioned:
“PayPal: xxxxxx is your security code. Don't share your code.”
I have a series of these messages, all legit, that match yours. My most recent message, from about 2 weeks ago, also left out the expiration time but I was logging in at the time so it should be legit as well. No suspicious activity since then, so they may have just shortened up the message.
I received one of these a couple days ago and was curious, so I went to paypal’s password recovery to see what it would take to reset my password. I was shocked to see that providing my SSN (which I don’t really consider private) was one of the options. Quickly changed the email on my account and dug around in settings way too long looking to enable 2FA
I got one a few months ago, an invoice from a contractor. I did bringing it to PayPal’s attention, as I was fully aware of the dubious attempt. Haven’t heard back, invoice still sitting there awaiting settlement.
My company is getting dozen of mail with “overdue” invoices from some random corporations for services like elevator inspection, heating checks, etc. Of course, they also have some strange phone number to call (which has just automated message). These people just hope we will pay and move on.
The scam is decades old. Big companies all have complex expense report systems and have for years because if they employees don't account for every penny someone will send an invoice without delivering. Sure they also catch some employee fraud, but that isn't the only reason to do it.
I discovered this exam phishing scam some weeks ago and did a full bug bounty plus phishing report on it to PayPal. They ignored the entire report because the report "relied on an attacker attempting to defraud" and considered it illegitimate and inactionable
It took me a while to figure out what's going on, these were the steps that I took:
1. Examined the headers which looked legit, because well,
it's really from paypal.
2. Googled the phone number, and could not find any
mentioning of it on Paypal (though I must say it did
seem like a similar number to at least one of Paypal's numbers)
3. Checked Truecaller and found no record of this number (I later updated
this number description to alert other people from phishing attempts.
4. Logged in to my account, just to make sure (without clicking the link),
and found no evidence of any funny activity.
5. Googled the phishing text and could not find relevant results,
yet Paypal itself did have a page with very similar text (well thought out phishing attempt)
6. I stripped the link from all query strings, opened it in incognito,
and voila, I saw that it's an invoice page that anyone can access and pay.
7. I tried to click the "Feedback" button on that page,
which I expected to show me an option to report a phishing attempt but instead
it just did nothing, absolutely nothing, on both FF and Chrome
(not even a console error that I can remember seeing).
Some conclusions:
1. Paypal are using _exactly_ the same email address for invoice notifications as other formal emails that I get from Paypal.
2. Paypal are not framing the invoice in any way to indicate that it's originated from the invoice sender,
thus allowing fraudsters to convey the same official tone as the rest of their email.
3. Phishing@paypal.com is how you report phishing attempts to Paypal though they do I'm not sure what effect reports have.
Yeah, having used PayPal invoices for Reddit’s r/hardwareswap, all you need is an email address and you can bill someone for anything via PayPal. It even gives you their shipping address after they pay. Very convenient for the happy path, but definitely ripe for abuse.
I've used that for legitimate use too, and yes, it can be convenient. I think it can stay convenient without some of the issues that made this particular phishing mail so well made (i.e. tell the recipient that the message they're reading is part of an invoice text sent by the invoice sender + use a dedicated email address for invoices).
I'm curious - if the link in the email leads to paypal.com with what looks like an invoice, why doesn't the invoice appear on the target's email account?
Is it just that the invoice is a real invoice but isn't debited against the target's paypal account?
I think it being a real invoice would be the easiest answer. The scammers have obtained a legit business account at PayPal and are issuing baseless invoices. I don't know if they'd receive the money if you paid - maybe. But they want you to call them and install the backdoor.
In the version I looked at, the scammer sent it to their own email account and did a replay attack against the victim - which doesn't invalidate the cryptographic anti-spam signature.
I received one of these as a text msg. I ignored the message and then checked my PayPal and bank to see if there was a charge of $400. There wasn't but I deleted my PayPal account just to be safe. My reasoning at the time (March) was that sanctions on Russia would motivate a lot of Russian programmers to devote more effort into hacking Americans and I should reduce my attack surface.
There was a posting on HN around that time about a hacker accessing passwords stored in the browser. I didn't save it, but cleaned out my stored passwords just the same.
Basically the same here. I looked for a way to report the issue to PayPal. There was no way to do it, so I just deleted my account and gave as a reason that PayPal didn't take fraud seriously if they didn't have a way to report / get advised on suspicious emails.
Paypal doesn't care about fraudulent use of their payment system, they practically promote it by not offering anyway whatsoever to report crimes committed on their platform.
> I received one of these as a text msg. I ignored the message and then checked my PayPal and bank to see if there was a charge of $400. There wasn't but I deleted my PayPal account just to be safe.
This. If your site is being used for phishing attacks, many users may just stop using your service, because it's not worth the trouble.
I used to have an automated list of popular phishing sites.[1] It's still running, but since it's driven by PhishTank, which isn't used much any more, it's not that interesting.
I've had a few similar recently just "confirming" my purchase of some random product but using pretty much identical to real PayPal design. Occasionally with clearly bogus foo.bar@gmail or similar reply-to address though at this point given decent account security on PayPal (password manager for password, 2fa, etc) mean I just assume that such emails are bogus until proven otherwise.
At the same time though I keep coming across companies that insist on using designs that trigger my "this is phishing" alarm bells because for whatever reason they insist on using links to the company that they contracted billing to instead of, you know, the company I did business with.
It seems especially prevalent among, of all groups that should know better, medical companies[1]. So say I had a visit with The Awesome Doctor Company, I'll get emails that for "privacy" reasons saying "You have a balance due at wedopayments.com", or "billing-awesomedoctorco.com", etc the latter being one of the most common things phishing emails do (I think I've actually got billing-paypal.com or similar at least once).
[edit:
[1] Ah ha, found the actual site, so remember I got an email saying "you have a balance due", that included no other details to peryourhealth.com. Which was for the company "East Bay Anesthesiology" (which I also didn't know of/about, but Sutter Health just silently outsourced that part of operation to them, didn't tell me, and then had them bill me directly and separately??!??!!? God I hate the US healthcare system)]
I received an invoice like this in my PayPal account; it showed up in an email notification and actually appeared as an unpaid invoice in PayPal.
I tried to dispute or flag it, but there's no such option in their interface — and there was no memo to go to a website or call a number. Very weird. I thought the scam was "let's hope someone doesn't look at the details and pays this invoice without thinking"
I get multiple PayPal requests for money from random throw away accounts with messages ranging from begging for money for something or just phishing invoices like this.
Worst part is that the only option via email is to "Pay". I have to log into PayPal then go through multiple clicks to reject the money request.
This has been brought up on HN a few times over the years, but never got much engagement. Here's one from a month ago with a screenshot https://news.ycombinator.com/item?id=32153924
This problem is similar to problem's I've had as well. Scammers/Spammers exploit services and tools in such ways that its difficult to prevent without manual review. Just like in Field of Dreams, If you build it, they will come.. The best advice is Buyer (or reader) Beware.
> Also, the email headers in the phishing message (PDF) show that it passed all email validation checks as being sent by PayPal, and that it was sent through an Internet address assigned to PayPal.
More awareness of the various possibilities of this need to occur.
I recall when this was happening to me in 2017 many people on forums like this wouldn't believe me, choosing to blame the victim instead of the person that made a choice in trying to create a victim. I'm all for some level of agency amongst people to not be a victim, but in the order of diagnosis of the problem this email header issue should be put more highly up on the list.
Just got one of these recently. I was legit worried someone had somehow managed to charge me without my consent. The invoice doesn’t help at all at clarifying the fact. PayPal really needs to clean up the design of that email.
This happened to one of my relatives recently. The tip-off was that he doesn't have a paypal account! ;-)
I called the toll free number just to see what would happen. My call quickly got picked up by an actual person, answering in a way that is not legitimate, plus the "call center" background noise you hear that's very suspicious.
Otherwise, it is indeed quite a legitimate looking scam
You can even create PayPal account using @paypal.com as the email address and they don't even make you verify it. So someone can hypothetically pretend to be PayPal and send out invoices. I've seen this issue on a lot of websites actually. I actually reported this issue to PayPal and no one cared.
Glad I cancelled my account years ago. PayPal was such a massive security and privacy nightmare. The customer support even went to the greatest length possible to deter me from requesting my data erased and account closed.
I got one of these for textbooks. And it was temporarily alarming and the most convincing scam to come my way. Mainly because it comes from PayPal’s actual email. This needs to be fixed.
The emails are not spoofed. They are actually generated by PayPal to notify an account holder of an invoice. The vast majority of the emails that these systems generate are legitimate emails with legitimate invoices.
The vector here is:
1. Create a PayPal account.
2. Create an invoice through PayPal's invoice tool and send to nabakin@example.com.
3. PayPal sends an email to notify the recipient of the outstanding invoice.
When PayPal detects fraudulent invoices are generated, they cancel those invoices so consumers no longer see them and can no longer pay on them; however, it's too late to stop the emails.
DKIM signed emails from PayPal are treated favorably by spam filters.
The sample I reviewed had been set to an account belonging to (or compromised by) the scammer, modified slightly, and BCC'd to the victim. Specifically, a Reply-To header was added - PayPal does not assert non-existence of a reply-to header in their DKIM signature, and the entire point of BCC is that it doesn't have a header.
Thus, these emails can be relayed to any target, and the scammer can choose any reply-to address they like, and the DKIM signature will still be valid.
If anyone has samples and can send me them with full headers, I would be very interested to examine more. I have a public email address in my HN profile.
