Emails from legitimate PayPal address used in crafty phishing scheme

A recent PayPal phishing scheme uses email notifications from the legitimate PayPal service address to trick users into giving attackers control of their accounts, Fortinet CISO Carl Windsor reported in a blog post Wednesday.

Windsor wrote that he received a suspicious email last month that came from the legitimate [email protected] email address but had a different address than his own in the “to” field. The email was a payment request for more than $2,000 with a link that led back to the legitimate PayPal website.

Many users would likely click the link and log into PayPal in order to reject the suspicious payment request, Windsor noted, but this would lead the attacker to gain control of the victim’s PayPal account. Windsor went on to explain how the attacker pulls this off without the need to write and send any phishing emails from their own address, or link back to their own malicious website.

The strange email address in the “to” field of the email, which comes from an onmicrosoft.com subdomain, is both an attacker-controlled email address and the name of an email distribution list set up by the attacker, which contains the emails of targeted victims.

Leave a Comment