PayPal used to send malicious ‘Double Spear’ invoices


Security experts are warning users not to fall for a new threat campaign using PayPal to send phishing invoices.

PayPal domains are generally “allowed” by organizations’ email filters. Thus, cybercriminals register accounts and write malicious invoices on the platform, explained Avanan researcher Jeremy Fuchs.

In it, they impersonate the Norton brand, but add their own contact details to the invoice requesting payment.

This is done in order to get a double payout from the attack. Puzzled users can call the number, only to be passed on to a malicious call center agent who will then attempt to gather their details, including the phone number, and persuade them to pay.

It’s what Avanan calls a “double throw” – forcing payment and stealing user information that can be used in future attacks.

Hackers have been observed abusing other legitimate platforms in the same way, and the tactic “couldn’t be easier” for them, Fuchs said.

“Hackers use a combination of social engineering and legitimate domains to extract money and credentials from end users. We’ve seen this with QuickBooks more recently, and now with PayPal. It can be done on any site trusted and regularly used by end users,” he said.

“PayPal and QuickBooks are particularly clever because they are often used for business invoices. The scam works because static allowlists allow content from these sites directly from the inbox. What makes this attack scary, is that the phishing invoices are created and sent through PayPal, which makes it more legitimate for the security service and for the end user.

Fuchs recommends that users always do an internet search before calling a number in an unsolicited email/bill, to see if it is legitimate. Users should also be encouraged to treat such emails with skepticism.

Advanced security tools are important because they will use multi-layered techniques to verify whether an email is legitimate or not, he said.


Comments are closed.