In this attack, attackers impersonated PayPal to send what appears to be an invoice for a recent cryptocurrency purchase. The email was sent from a Gmail account and states that a purchase was made for $863.50 (0.023 Bitcoin). The email goes on to state that if the recipient did not authorize the purchase, they should call a “representative” at the phone number provided.

Status Bar Dots
Fake Pay Pal Cryptocurrency Payment Receipt

Why It Bypassed Traditional Security

Text-based attacks generally cannot be detected by a secure email gateway due to the lack of other indicators of compromise. The email was sent from a freely-available Gmail account and, as a result, there is no bad domain reputation for traditional security providers to discover. Plus, the email passes all authentication checks for SPF, DKIM, and DMARC.

Detecting the Attack

To detect this attack, it is necessary to understand new threats alongside content analysis to detect the tone of the email and the included phone number. In addition, lookalike content can help explain how this attack relates to other phone-based text attacks, which have become increasingly popular in recent months due to their ability to bypass email gateways.

Risk to Organization

If the target calls the number provided, they will probably be instructed to download malicious software. Once the malware is installed, attackers can perform a variety of nefarious actions, including escalating it into a ransomware attack.

Analysis Overview

Vector

Text-based

Goal

Malware Delivery

Tactic

Free Webmail Account

Theme

Fake Payment Receipt
Cryptocurrency

Impersonated Party

Brand

Impersonated Brands

PayPal