The email includes the new address that was allegedly added to your PayPal account, including a message claiming to be a purchase confirmation for a MacBook M4, and to call the enclosed PayPal number if you did not authorize the purchase. The goal of these emails is to trick recipients into thinking their account was hacked to purchase a MacBook and scare the email recipient into calling the scammer's "PayPal support" phone number. Therefore, if you receive a legitimate email from PayPal stating you updated your address, and it contains a bogus purchase confirmation, simply ignore the email and do not contact the listed phone number as it belongs to the scammer. When they add the scam address to PayPal, the payment platform will email a confirmation to the threat actor's email, which will then forward it to the Microsoft 365 account, which then forwards it to everyone on the mailing list, as shown in the flow chart below. When BleepingComputer first received this email, we were confused as the email was sent from "service@paypal.com" to an email address that does not have a PayPal account associated with it. After saving the address, PayPal sent us the same confirmation email, notifying us of the new address we added, which also included the fake purchase message. Upon further analysis of the mail headers, we can see that the email is actually being sent to the address "noreply_@usaea.institute," which is the email address associated with the scammer's PayPal address. In our case, the scam email was sent to an email address with no PayPal account. "If you want to link your credit card to this address, or make it your primary address, log in to your PayPal account and go to your Profile," reads the PayPal email notification. The emails are being sent directly by PayPal from the address "service@paypal.com," causing people to be concerned their account was hacked. Furthermore, the mail headers show that the emails are legitimate, passing DKIM email security checks and originating directly from PayPal's mail server, as shown below. To be safe, instead, log into your PayPal account and confirm no additional addresses were added, and if not, junk the email. It was unclear at first how these legitimate emails were being sent from PayPal until we noticed this text at the bottom of the email. PayPal enables this scam by not limiting the number of characters in the address form fields, allowing the threat actors to inject their scam message. The headers further show that this email address automatically forwards the email it receives to "bill_complete1@zodu.onmicrosoft.com", an account associated with a Microsoft 365 tenant. In a test, BleepingComputer added a new address to one of our accounts and pasted the scammer's fake MacBook purchase confirmation message into the Address 2 field. If you did not authorize this update, please reach out to PayPal at +1-888-668-2508'," reads the scam email. BleepingComputer contacted PayPal about this scam and is awaiting a response to our email. To fix this, PayPal needs to restrict the number of characters in the address field to a reasonable character count, like 50 characters, if not less.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 22 Feb 2025 21:05:07 +0000