Written by Clement Lee, Principal Consulting Security Architect, APAC, Check Point Software Technologies
PayPal is one of the most common payment methods for us as consumers, and also for businesses in e-commerce. It is known to be a safe method of payment, with data encryption. With more than 426 million active consumer and merchant accounts and an estimate of 40,000 payment transactions per minute1 globally, it is often listed as a trusted site by companies used regularly by end-users in Southeast Asia.
However, since June 2022, researchers from Check Point Software’s subsidiary, Avanan detected hackers using PayPal to send malicious invoices and request payments. The hackers simply send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton.
Using classic social engineering tactics to send an invoice notice and getting the user to take action, the user ends up calling the listed telephone number and paying the invoice. This attack is what hackers on the dark web call a double spear; not only do the hackers have your email, they now have your phone number as well, which can be used for future attacks. And, of course, they have your money.
In this video https://avanan.wistia.com/medias/btxmkg6nwn, you can see how hackers can creating accounts in PayPal, how they edit the business name, place fake telephone numbers and show the fake Norton invoice. Hackers can also send the invoice to multiple users at once.
Using legitimate and popular websites, and a combination of social engineering and legitimate domains, hackers are getting into inboxes to steal credentials and money from unsuspecting end-users.
This happened with QuickBooks recently and now with PayPal. Being sites which are trusted and used regularly by end-users, and in particular for QuickBooks and PayPal which are often used for business invoices, static Allow lists “allow” content from these sites directly from the inbox.
The end-users are even more vulnerable now because what was previously considered a legitimate source by both security services and end-user, is now a potential threat where phishing invoices are created.
So are there ways to prevent yourself from getting phished?
There is no foolproof way, but there are some simple ways to protect yourself, your team, and your business:
Before calling an unfamiliar service, search for the number online and check your accounts to verify if there are any charges
Implement advanced security that checks for more than one indicator to determine whether an email is clean or not
Encourage all staff to check with IT department when they are in doubt about the legitimacy of an email.