X-Labs
November 1, 2022

Hackers Exploit PayPal Invoicing Bug to Launch Advanced Phishing Attacks

Aaron Mulgrew

Early on Sunday morning, I received the following email from PayPal:

PayPal Invoice - Phishing email example

 

With my initial scepticism high, I decided to investigate to see if someone had managed to spoof the domain of PayPal.com.

However, checking the DMARC and DKIM revealed that it was a genuine email from PayPal. With some further bewilderment as to why phishing emails are being sent from a genuine domain, I stumbled upon the PayPal invoicing API.

PayPal invoicing is a feature developed to ease the payment process of purchases made outside of PayPal. It allows businesses to send an email to their customer, invoicing them for the services/products that the business has provided. The problem is that scammers have worked out a way to generate a “genuine” invoice for a product that has not been purchased. This in turn, tricks PayPal into acting on the scammers’ behalf, sending phishing emails to unsuspecting users.

We have approached PayPal to add more stringent checks on who and how companies can send invoices on the platform. As of yet, we have not heard any response.

Aaron Mulgrew

Aaron works with central government departments in the UK and abroad to secure their systems, as well as working alongside critical national infrastructure providers to make sure they aren’t an easy route to compromise. With a specialism in cryptocurrency...

Read more articles by Aaron Mulgrew

Über Forcepoint

Forcepoint ist einer der weltweit führenden Anbieter von Cyber-Sicherheit im Bereich Anwender- und Datensicherheit und hat es sich zur Aufgabe gemacht, Organisationen zu schützen und gleichzeitig die digitale Transformation und das Wachstum voranzutreiben. Unsere Lösungen passen sich in Echtzeit an das Nutzerverhalten an und ermöglichen Mitarbeitern einen sicheren Datenzugriff bei voller Produktivität.