Malicious actors have started to exploit a loophole in the defenses of many home users, organizations, email and security services, to send out phishing emails from legitimate services.
Threat actors have found a way to send phishing emails using the tools and services provided by legitimate companies such as PayPal or QuickBooks.
Most phishing emails come from unrelated domains; experienced users may spot these right away, and so do many antivirus solutions. Using a domain that is on an allow list, on the other hand, adds trust to the email.
Phishing emails that come directly from PayPal have a greater chance of slipping through defenses because of that. Email providers and antivirus solutions may not want to block all emails coming from PayPal, as it is a legitimate service.
Tip: find out which phishing email subjects get the most clicks.
Security researchers at Avanan, a CheckPoint company, discovered a new phishing attack in June 2022 that used free PayPal accounts to “send malicious invoices and requests”. Similar to the QuickBooks invoice phishing campaign, the campaign used the legitimacy of PayPal to push past most defenses to land in the inbox of the users it attacked.
PayPal users may send invoices and money requests using the service. The attackers created free PayPal accounts to create fake invoices and money requests. They changed invoice data to look legitimate, e.g., by using names of respected companies, such as Norton.
Victims who find the phishing emails in their inboxes may believe it is legitimate as it comes from an official PayPal domain and not an unrelated site.
Attacked users may be inclined to call the provided phone number and/or pay the invoice. Any attempt at contacting the company used in the fake leads to communication with the attacker. While some of the attacked users may open the legitimate website of the company that allegedly sent the invoice, most may use information provided in the invoice to do so.
Avanan published three suggestions to combat this phishing trend:
- Look up any number online before calling it to make sure it is legitimate.
- Implement additional security protections to defend against these kinds of phishing emails.
- Users who work in organizations should be trained to contact IT when in doubt.
The new phishing attack uses the tools that legitimate services and businesses provide to improve the legitimacy of the attack and bypass certain defenses.
One of the best options against this type of attack is to use common sense. Take an invoice for Norton Antivirus as an example: if you have no business relationship with Norton, then it is either a fake (very likely) or sent accidentally.
When in doubt, either contact IT support directly if that is an option, or open the website of the company in question to contact their support directly.
New phishing attacks have come to light recently. Microsoft described an attack that targeted Office users and was able to circumvent two-factor authentication protections. A similar attack was revealed by security researchers at Zscaler.
Now You: did you ever get phishing emails from legitimate domains? (via Born)