Cybercriminals Now Using Legitimate PayPal Emails in Scam

PayPal scams are nothing new. What is new is that cybercriminals have started using legitimate PayPal services to perpetrate those cyberattacks. In July 2016, cybercriminals sent legitimate PayPal emails to PayPal members in an effort to scam them out of $100 USD as well as infect their computers with malware.

How the Scam Worked

To carry out the scam, cybercriminals either created new PayPal accounts or hacked into existing ones. They then took advantage of a PayPal feature that is designed to let members request money from one another. To use this feature, the person requesting the money fills out a form that includes an area where they can enter a message.

In this case, the cybercriminals wrote that they were requesting a refund because $100 had been fraudulently sent from their PayPal accounts to the victims' accounts. The cybercriminals included a goo.gl URL that supposedly linked to documents showing the fraudulent transaction and an incident report sent to PayPal. In reality, the URL sent the victims to a website that placed a malicious script, which was disguised as a JPEG file, on the victims' computers. Victims who opened this file had their computers infected with two types of malware:

Chthonic banking trojan: Cybercriminals have been using this malware since 2014. When victims visit their online banking websites, Chthonic inserts code and images into the bank pages loaded by the victims' web browsers. This allows the cybercriminals to steal the victims' login credentials, answers to security questions, and other personal data.
AZORult information stealer: AZORult is new malware that is available in underground cyber markets. According to security researchers, it allows cybercriminals to steal victims' passwords to programs such as Microsoft Outlook, Google Chrome, and FileZilla. Cybercriminals can also use it to steal files from victims' computers, such as desktop and bitcoin files.

The Broader Implications

It did not take long for researchers to discover the scam and for PayPal to stop it. Because the cybercriminals used the Google URL Shortener service to turn the malicious link into a goo.gl URL, the click-through rate could be tracked. Fortunately, only 27 people clicked the link.

Even though there were only a few victims, this scam has much broader implications: You can no longer assume that an email is safe just because the email address in the "From" field is legitimate. You need to carefully review all your emails, looking for signs that they might be a scam. For example, you should be suspicious of unexpected emails that ask for money or information. This is especially true if the emails try to create a sense of urgency (i.e., there will be unfortunate consequences if you do not take action quickly). Other clues include shortened or deceptive URLs, misspellings, and grammatical errors.

Cybercrime Is Constantly Evolving — Your Security Measures Should, Too

This PayPal attack is evidence that cybercrime is constantly evolving. Keeping abreast of cybercriminals' newest tricks is important but difficult to do on your own. Your best bet is to rely on your IT service provider. They can keep you informed as well as help you protect your business against new and existing threats.