PayPal Used to Send Malicious “Double Spear” Invoices

Security experts are warning users not to fall for a new threat campaign using PayPal to send out phishing invoices.

PayPal domains are usually “allow-listed” by organizations’ email filters. So cyber-criminals are registering accounts and composing malicious invoices on the platform, explained Avanan researcher, Jeremy Fuchs.

In it, they spoof the Norton brand, but add their own contact details to the invoice requesting payment.

This is done in an attempt to get a double pay-out from the attack. Bemused users might call the number, only to be put through to a malicious call center operative who will then attempt to harvest their details, including phone number, and persuade them to pay up.

That’s what Avanan calls a “double spear” – forcing payment and stealing user information which can be used in future attacks.

Hackers have been observed abusing other legitimate platforms in a similar way, and the tactic “couldn’t be easier” for them, said Fuchs.

“Hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end-users. We’ve seen this with QuickBooks most recently, and now with PayPal. This can be done on any site that’s trusted and used regularly by end-users,” he said.

“PayPal and QuickBooks are particularly clever since they are often used for business invoices. The scam works since static allow lists allow content from these sites directly from the inbox. What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user.”

Fuchs recommended users always do an internet search before calling any number in an unsolicited email/invoice, to see if it’s legitimate. Users should also be encouraged to treat such emails with skepticism.

Advanced security tools are important as they will use multi-layered techniques to check if an email is legitimate or not, he said.