Silkenweb Example: Hackernews Clone

PayPal phishing scam coming from paypal.com domain

6 points by throwaway77385 5 months ago | 16 comments

I have just received an email from service@paypal.com (yup, that's the domain in the email headers, this isn't some spoofed name).

The email is an obvious phishing attempt, referring to an address change and order I never made. Logging into my PayPal account, everything is unchanged and fine.

What I am surprised by is that anyone managed to send an email from service@paypal.com? How is that possible without their DNS being compromised somehow?

Someone on Reddit[0] has reported the same and I am wondering if anyone here has noticed / whether anyone here works at Paypal and needs to hear about this.

[0] https://old.reddit.com/r/paypal/comments/1ihs0ls/getting_tons_of_phishing_emails_from_verified/

iwanttocomment 5 months ago
Anyone can send a money request or invoice to anyone else via PayPal, which will come from PayPal's servers and valid PayPal email addresses.
I'm not defending PayPal here, but people can also arbitrarily send a fraudulent invoice to you in email, or via the physical mail, or call you on the phone as well. Fraud of this sort is by no means an issue exclusive to PayPal.
You can't assume that all communications you receive from PayPal are legitimate requests, in the same way you can't assume that all letters or phone calls or text messages you receive are legitimate requests.
- throwaway77385 5 months ago
  Oh wow, I would perhaps have expected that email to include some kind of "message from seller: / company: " type subject to at least identify it as such.
  For anyone to just be able to send an email in the name of paypal.com with no indication that it was initiated by another paypal user is pretty bonkers.
  I haven't seen this before, so either they have very good scam / spam detection or I was just lucky not to have been targeted yet.
  - josefresco 5 months ago
    > I would perhaps have expected that email to include some kind of "message from seller: / company: " type subject to at least identify it as such.
    This is the real/root issue. I've seen a few of these and the email itself contains no identifying information which increases the phishing risk/suspicion substantially. Both PayPal, and some banks still send emails with buttons like "confirm your account" - it's wild.
    - throwaway77385 5 months ago
      And in fact, it should come from some kind of subdomain like "user-service@random-users-can-send-whatever-they-want-from-this-address.paypal.com" and then the header should be "THIS ISN'T AN OFFICIAL PAYPAL EMAIL" etc. etc.
      I wouldn't fall for this scam, because I'm technically minded, but a less technical relative wouldn't stand a chance here.
  - iwanttocomment 5 months ago
    The messages from PayPal usually do include that sort of "message from seller". The phishers word these to deliberately exploit the issue.
    The last time I received a message like this it included this message: "Note from [Fraudulent Seller]: Fraud Alert: Didn't make this order? Call at [Fraudulent 800 number]"
    And also the message: "Don't recognize this request? Before paying, make sure you recognize this person. Don't engage with this request if you're unsure about it. PayPal won't contact you through a money request."
    But, it did come legitimately from service@paypal.com, and was almost certainly the type of issue OP is describing. I'm not sure PayPal can do anything here but rephrase money requests or invoices as "potential" if they don't come from a contact known to the account. (It'd be cool if they did that.)
- gus_massa 5 months ago
  WhatsApp add a warning like "This persons is not in your contact list. [Add] [Block]" So it's easier to detect new telephone numbers, that have a higher probability to be spam/phishing/...
litoE 5 months ago
I receive them too. They indeed come "From: <service@paypal.com>", but the dead giveaway is that the recipient is "To: fred smith <order_status10@jwa.onmicrosoft.com>". I'm NOT "fred smith" or any of the other random names they use. The emails arrive from the onmicroft.com servers, not the PayPal servers.
It looks like they create the fake account at onmicrosoft.com, then have paypal send an email to that account and then make onmicrosoft.com forward it to all their intended victims.
- litoE 4 months ago
  My wife and I have now started both receiving similar messages, but this time purportedly from '<notifications@zellepay.com>'. Same M.O.
- throwaway77385 5 months ago
  Quite sophisticated. I'm not sure whether someone less technical would know what to do.
ChrisArchitect 5 months ago
Related article:
Phish-free PayPal Phishing
https://www.fortinet.com/blog/threat-research/phish-free-pay...
- throwaway77385 5 months ago
  Fascinating. This is probably the most sophisticated phishing attempt that's arrived in my inbox yet. Thank you for posting this article. The fact that this comes from service@paypal.com is massively concerning.
Meeko 5 months ago
This email is for $229.00 purchase of bitcoin from my paypal account. I do not have a paypal account. The sender listed as caitlinrui caitlinrui, Other messaging-service@post.xero.com
beardyw 5 months ago
Time was you could send an email purporting to come from anyone. At the time it was just a source of fun. Things are a bit better now, but not much.
pinewurst 5 months ago
I deleted my Paypal account after receiving one of these. The convenience was no longer worth the risk for me.
TheBozzCL 5 months ago
Are you sure they’re not just spoofing the address? Check the email headers.
- throwaway77385 5 months ago
  Yup, as mentioned, it was verifiably paypal.com in the very headers. It's the lack of the spoofing that caught me off-guard. But, further below in the thread it appears that any business on PayPal can just send fake invoices powered by the official service@paypal.com domain, so...yeah, that's wild.