PayPal Phishing Campaign Uses Genuine Links for Account Takeovers

Table of Contents

A PayPal phishing campaign that uses genuine links to trick unsuspecting users into handing over their account credentials is causing havoc.

Unlike traditional phishing methods, this campaign exploits legitimate PayPal features, making the fraudulent emails appear authentic.

Security experts at Fortinet warn users about this sophisticated threat that combines clever tactics with genuine links to bypass security checks.

Key Takeaway to PayPal Phishing Campaign:

The attack bypasses traditional phishing detection methods, making it harder to identify as malicious. Always verify unexpected emails carefully.

What You Need to Know About the PayPal Phishing Campaign

How the Campaign Works

This phishing campaign sends emails that appear to originate from legitimate PayPal addresses. These emails:

Contain valid URLs that pass security checks like SPF, DKIM, and DMARC.
Include transaction IDs and warnings typical of PayPal notifications.
Display a payment request, urging users to log in to their accounts via a genuine-looking link.

Upon clicking the link, victims land on an actual PayPal login page. However, logging in connects their account to the attacker’s email address, enabling account takeover.

The Technical Mechanism to PayPal Phishing Campaign

The attackers use a Microsoft 365 domain to register a distribution list containing victims’ email addresses.

Here’s how it unfolds:

Attackers send a payment request via PayPal, addressed to the distribution list.
Microsoft 365’s Sender Rewrite Scheme ensures the emails pass security checks.
Victims logging in inadvertently link their accounts to the attacker’s email, as seen in the ‘To’ field of the phishing email.

Why This PayPal Phishing Campaign Attack Is Dangerous

Unlike most phishing scams, this campaign doesn’t rely on fake websites or spelling errors. Everything appears legitimate, including:

The sender’s address.
The URLs in the email.
The login page on PayPal’s website.

This level of authenticity makes it challenging even for experienced users to detect the scam.

A Similar Incident

This campaign mirrors past phishing scams that exploited trusted brands like Microsoft and Google. For instance, a 2017 phishing attack on Google Docs used authentic URLs to deceive users into granting app permissions.

These cases highlight the evolving sophistication of phishing schemes.

How to Protect Yourself

To safeguard against threats like the PayPal phishing campaign that is using genuine links, follow these tips:

Verify the Source: Double-check the sender’s email address and look out for unusual details.
Avoid Clicking Links: Type PayPal’s URL directly into your browser instead of clicking links in unsolicited emails.
Enable Two-Factor Authentication: This adds an extra layer of protection to your account.
Stay Informed: Regularly review security blogs and updates, such as Fortinet’s threat research.

About PayPal

PayPal is a global leader in online payments, offering secure and convenient transaction solutions for individuals and businesses. With over 435 million active accounts, it is a prime target for cybercriminals.

Rounding Up

The PayPal phishing campaign that uses genuine links to trick users into revealing sensitive credentials shouldn’t be underestimated.

This is a scam that highlights the need for vigilance and cybersecurity awareness. By recognizing red flags and staying informed, you can protect yourself from sophisticated threats like these.

FAQs

What makes this phishing campaign different?

PayPal Phishing Campaign Uses Genuine Links for Account Takeovers

Key Takeaway to PayPal Phishing Campaign: