In November, we wrote about an attack that spoofed Amazon. The attack worked by using legitimate Amazon links, forcing the end-user to make a phone call instead to cancel any order.

Now, we've seen a similar email campaign, this time leveraging PayPal. Like the Amazon email, the only way to “cancel” the order is to call a phone number. 

Starting in April 2022, Avanan researchers have seen an uptick in attacks spoofing popular brands like PayPal, utilizing an order confirmation letter to induce end-users to call a support number, where banking information will try to be stolen, along with harvesting the phone number for future attacks. In this attack brief, Avanan will analyze how hackers are deploying this one-two punch of an attack. 

Attack

In this attack, hackers are sending what looks like a PayPal order confirmation. It tells the user that they bought over $500 worth of DogeCoin. To cancel the order, they can call a customer support number. 

  • Vector: Email

  • Type: Credential Harvesting

  • Techniques: Impersonation, Phone Number Harvesting

  • Target: Any end-user

 

Email

In this attack, threat actors are sending end-users what looks like a PayPal confirmation notice. The only recourse to cancel is to call a support number. 

 

Email Example #1

 

This fake PayPal notification aims to induce users to call a fictitious phone number to reverse the charge. 




Techniques

When we wrote about the Amazon attack, we noted that the idea was not only to get financial information, but also the end-users phone number. This scam uses what we call “phone number harvesting.” Instead of harvesting credentials for online logins, this attack easily obtains phone numbers through the caller ID feature. Once they obtain the phone number, they can carry out a series of attacks, whether it’s through text messages, phone calls or WhatsApp messages. Just one successful attack can lead to dozens of other ones. 

The number listed on the email is a Hawaii-based number that’s been linked to scams in the past. When calling, they will ask for your credit card number and CVV to “cancel” the charge.  It's worth noting that the scammers are not based out of places like Hawaii; they've simply registered a phone number to a US-based area code and are forwarding calls to an international relay.

This attack also works because there are no links at all in the email body. When there is a link, the email security solution can check it to see if it’s malicious or not. Without any links, it becomes much harder.

There are countless ways to do this, and we have written about many in the past. There’s the ZeroFont attack; the OneFont attack; highlighting text in white; the No Display attack; and much more. 

In this attack, the hackers are reversing the text. This has the security system seeing what looks like gibberish. With the Natural Language Processing unable to make sense of it, it seems instead like a normal email.

For the end-user, it looks like a typical email, with no issues, making it more liable to be clicked on.

With the combination of social engineering in the form of what looks like a fraudulent payment, and no malicious links or otherwise malicious text, this is a tricky attack that has proven hard to stop. 

Best Practices: Guidance and Recommendations

To guard against these attacks, security professionals can do the following:

  • Encourage end-users to look at the sender address of the email

  • Encourage end-users to check their PayPal account. They’ll notice the order in question is not in their account

  • Do not put major companies on Allow Lists, as those companies tend to be among the most impersonated. PayPal is an oft-impersonated brand. 

  • Encourage users not to call unfamiliar numbers

Subscribe to Our Attack Briefs for More Research