PayPal Impersonator Uses Spoofed Email Hosted on Legitimate Domain to Attempt Credential Theft
In this credential phishing attack, the threat actor impersonates PayPal and sends the target an email claiming there is an issue with their account. To increase the appearance of legitimacy, the attacker creates an Outlook account with the username “service.epaiypal” and sets the sender display name as “Service@intl[.]paypal[.]com”. Many mobile email clients do not show the full email headers, which means if the target views the email on their mobile device, they will only see the misleading sender display name. Additionally, by using an email address hosted on a legitimate domain, the threat actor has a higher probability of their message not being flagged as suspicious.
The branding and layout of the email mimic official communications from PayPal, and the attacker attempts to create a sense of urgency by including “Response Required!” in the subject line and a large “Response Required” headline in the email body. The message informs the target that PayPal is following up on a previous email regarding suspicious activity and that, due to a lack of response from the target, their account has been limited. The attacker includes two links that the recipient can purportedly use to log in and access the PayPal Resolution Center to fix the issue. However, if the target clicks on either link and enters their login credentials, they will be stolen by the attacker.
Older, legacy email security tools struggle to properly flag this email as an attack because it leverages sophisticated spoofing techniques, contains no attachments, and uses social engineering. Modern, AI-powered email security solutions analyze the email address, links, and content to correctly mark this email as an attack.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Sophisticated Spoofing: The attacker uses a deceptive sender name that closely resembles a legitimate PayPal email address. Traditional security tools may not detect this subtle difference, allowing the email to bypass filters.
- Lack of Attachments: The email does not contain any attachments or obvious signs of malware, which are often what legacy security tools scan for.
- Social Engineering Tactics: The attacker uses fear and urgency by claiming there's an issue with the recipient's PayPal account. This psychological manipulation can trick users into taking action before they've fully assessed the situation, and is not something legacy tools can easily detect or prevent.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Email Address Analysis: Abnormal detects subtle anomalies in the sender's email address. In this case, it would recognize that the email address (service.epaiypal@outlook[.]com) is trying to mimic a legitimate PayPal address, which is a common phishing tactic.
- Link Analysis: Abnormal analyzes the links embedded in the email. It can identify if these links lead to known malicious websites or display other suspicious characteristics, such as mismatched URLs and anchor text.
- Content Analysis: Abnormal analyzes the content of the email for signs of phishing, such as urgent language, requests for personal information, or instructions not to reply to the email.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.