Proofpoint closes acquisition of Tessian. Read More ->

Request a demo
Platform
Complete Cloud Email Security
Get a Platform Overview
Featured Content
What’s New
What’s New
Tessian Platform Overview Brochure
Product Resources
Tessian Platform Overview Brochure
Microsoft + Tessian: Comprehensive Email Security
Solution Briefs
Microsoft + Tessian: Comprehensive Email Security
Solutions
Tessian solutions by use case and threat types
Customers
Tessian case studies by use case and industry
Read more
Featured Content
Advanced Email Protection for Florida’s Largest Law Firm
Customer Stories
Advanced Email Protection for Florida’s Largest Law Firm
Next-Gen DLP For One of Africa’s Largest FinServ Groups
Customer Stories
Next-Gen DLP For One of Africa’s Largest FinServ Groups
Resources
Tessian content by use case and industry
Resource Center
Featured Content
Forrester has named Tessian a Strong Performer in The Forrester Wave™: Enterprise Email Security, Q2 2023
Research & Reports
Forrester has named Tessian a Strong Performer in The Forrester Wave™: Enterprise Email Security, Q2 2023
Company
About Tessian's mission and career opportunities
Read more
Request a demo
Request a demo
Request a demo
Request a demo
Request a demo
Request a demo
Advanced Email Threats

Tessian Threat Intel Advisory: PayPal Email Invoice Fraud Detected

Charles Brook • Monday, June 20th 2022
Tessian Threat Intel Advisory: PayPal Email Invoice Fraud Detected

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Summary

Tessian Threat Intel is issuing a threat advisory on cyber threat actors requesting payment from unsuspecting victims using fraudulent invoices issued via PayPal. We have alerted PayPal.

 

Overview

Tessian Threat Intel analysts have observed scammers, on numerous occasions, sending emails with fake invoice payment requests. Historically many of these sorts of attempts would be detected by traditional spam filters and end up in the junk folder or in quarantine. This is due to the email senders being repeat offenders with the same template and text – easily detected as spam or malicious by rule based email security solutions. 

 

Since early March 2022, Tessian identified ways in which threat actors have been adapting their techniques to reach victim’s inboxes by abusing the legitimate capability of sending invoices to 3rd parties using PayPal’s email-delivered invoicing services. 

 

To be clear, this is not a vulnerability within PayPal. Nor is it an example of an account takeover (ATO).  Rather, threat actors are creating invoices in PayPal and then issuing them to victims through PayPal’s service.  

 

Technically, an email  from PayPal would pass some of the most fundamental checks in email security like SPF, DMARC and DKIM. This would ensure with a high degree of probability that similar emails would avoid detection by rule based email security solutions, as well as giving an air of legitimacy to the email. 

 

An email sent from a financial services provider like PayPal, would increase the probability of  the victim seeing and interacting with the email, including acquiescing to its demands for payment. 

Cyber Criminals Leverage Temporary Block on PayPal Account in Phishing Attack
Advanced Email Threats, Threat Stories
Cyber Criminals Leverage Temporary Block on PayPal Account in Phishing Attack
Charles Brook • Friday, February 4th 2022
Read article

Examples of fraudulent PayPal invoices

 

The screenshot below is a legitimate email from PayPal containing a fraudulent invoice. In this example, the attacker has created a paypal account with the profile name “bit-coins payments,” which is displayed as the sender display name. 

 

The threat actor has then created an invoice using the invoicing service available in PayPal (see Fig 2), and has then sent it with a message added by the attacker for the recipient. Grammatical style errors can also be observed, similar to what we have seen in common   phishing emails.

Fig 1: Example of fraudulent PayPal invoice

The below screenshot shows the PayPal invoicing service.

Fig 2: PayPal invoice issuing feature

In the example below, we can see the actual link addresses which would redirect the recipient to the PayPal generated invoice if clicked.

Fig 3: Malicious email requesting Bitcoin payment with links to fraudulent PayPal invoice

Technical breakdown of the message headers

As you can see below, both SPF and SKIM are a pass, and the sender IP ties back to PayPal directly. This sort of email has a high probability of passing rule based email security solutions and being delivered into a victim’s inbox.

 

Authentication-Results: spf=pass (sender IP is 173.0.84.227)

 smtp.mailfrom=paypal.com; dkim=pass (signature was verified)

 header.d=paypal.com;dmarc=pass action=none

 header.from=paypal.com;compauth=pass reason=100

Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates

 173.0.84.227 as permitted sender) receiver=protection.outlook.com;

 client-ip=173.0.84.227; helo=mx2.slc.paypal.com;

Why Cybercrime is Thriving, And What You Can Do About It
Advanced Email Threats
Why Cybercrime is Thriving, And What You Can Do About It
Andrew Webb • Tuesday, April 19th 2022
Read article

Threat Mitigation Steps

 

Once PayPal was informed, Tessian found that the invoice was taken offline and no longer accessible. Thank you PayPal for your quick engagement.

 

In order to not fall victim to similar types of email-delivered invoice fraud we recommend:

 

  • Be careful of unsolicited emails, especially those containing requests for payment or including links to invoices.
  • Always verifying the authenticity of an invoice with the actual purchase order. 
  • If necessary, contact PayPal or any vendor requesting payment via independent method i.e. telephone to verify the authenticity of the request.
  • Have a failsafe system in place in your accounting department that requires two members of staff to verify the authenticity of invoices matched against purchase orders.
  • Adopt intelligent cloud email security solutions like Tessian that use behavioral intelligence to detect and prevent advanced email attacks, including increasingly sophisticated email-delivered invoice and wire fraud.
Tessian Threat Intel Roundup for May
Threat Stories
Tessian Threat Intel Roundup for May
Tessian • Monday, May 30th 2022
Read article

To see how the Tessian Intelligent Cloud Email Security platform  prevents ransomware attacks, and protects against DLP, watch a product overview video or book a demo.

For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn

Charles Brook Threat Intelligence Specialist

Related Posts