Email from PayPal? Don’t Get Attached!

Introduction

Phishing scams are fraudulent email messages that appear to come from legitimate enterprises such as your university, your Internet service provider, or your bank. These messages usually direct you to a spoofed website, have a malicious attachment, or otherwise get you to divulge private information. The perpetrators then use this information to commit identity theft.

Why is PayPal fraud so special?

According to “OpenPhish”, a zero-day phishing site feed, PayPal is one of the top 10 targeted brands https://openphish.com/phishing_activity.html. PayPal is very popular and contains sensitive user information, which makes it very attractive for phishing attacks and credential theft by hackers and scammers.

[OpenPhish.com Top 10 targeted brands, 22.8.2016]

Storyline

This PayPal site educates customers on how to recognize scams and deal with suspicious activity.

[Official PayPal’s suspicious activity tips site]

PayPal shares some helpful tips on how to spot a fake email:

[Some helpful tips on how to spot a fake email]

A real email from PayPal never includes attachments. If you receive an email allegedly from PayPal that includes an attachment, an attack is underway and the file is definitely malicious.

Recently, a Check Point customer received a significant number of “PayPal” emails that contained an attachment. Here is an example:

[Original email sent to a Check Point customer]

The attached file (SHA1 b74e320aaeee9de20d74251d6ad0fbf9c9c7f2df) is an html form which is opened locally.

[Html form b74e320aaeee9de20d74251d6ad0fbf9c9c7f2df]

This delivery method prevents the file from being blocked by browser plugins and IDS systems. Running Threat Emulation on this sample reveals quite easily that this is a phishing attempt to steal credentials.

Technical Analysis

The form contains JavaScript disguised as Html. The JavaScript verifies that the victim enters valid credit card details. If not, it redirects the user to the original PayPal site: PayPal.com.

If the victim swallows the bait, the JavaScript runs as soon as the victim presses the “Submit Form” button. It redirects the victim to PayPal.com while sending his credit card’s details to the actual phishing page hxxp://www.idchains.net/bdf8fbe8eaeebfb0dded018675de84a5.php

[The traffic is directed to the attacker’s site.]

The attacker uses the original PayPal icon and pictures taken from the PayPal Logo Center:

The html is actually a one line JavaScript code, obfuscated with the standard js obfuscators:

[Html’s JavaScript’s obfuscated code]

When we de-obfuscate this code, we get the following JavaScript code:

[JavaScript’s de-obfuscated code]

Source sender Geo distribution

Despite the obvious similarity between all samples, the attacker sent the emails from several different IP addresses and countries:

Indicators

These emails are indicators of compromise:

Conclusions

• Never open an attachment unless you are absolutely sure it’s legitimate.

• Always check the name of the sender and attachment.

• Before you enter your credentials, make sure this is an HTTPS site. Most phishing attempts use http protocol.

• Never enter or share your credentials unless you are certain the form and site are legitimate.

• Take extra care when you receive email that contains “buzz words” such as prize and urgent, or typos such as “flnd” instead of “find.”

• Remember this post’s moto: “PayPal Will Never Send You an Attachment”!

Check Point Protections

• Check Point IPS blade provides protection against this threat with these IPS protections:
  • PayPal Mail Phishing Containing Attachment
  • Phishing URL Attack Attempt