Great catch! I would be interested in how scammers keep coming up with these new methods?
How would they even validate their new attack vector? I would like to think that there’s scam A/B testing or something similar…
I suspect that the strategy I've described in my the post (forwarding a signed email with some modified headers) isn't actually new, and that it's just the first time I've looked closely enough to become interested in how it works.
The whole "put a misleading string in the PayPal name field" thing may be new.
> How would they even validate their new attack vector? I would like to think that there’s scam A/B testing or something similar…
I'm curious about that as well. My guess is that there's nothing as sophisticated as A/B tests with measured results going on, but I'd love to learn more.
This kind of techniques is also used to send underground gambling, crypto, sex and so on scams on Apple's platform targeting Chinese speaking community in the past few years.
They will typically change their name to scam text just like the one here and share an album in iCloud Photos to the victim. This will trigger a legit notification email from Apple to you and a push notification on your Apple devices. Both has low chance of being filtered by anyone.
Moral aspect apart, it is a very clever way of exploiting a system.
