In this attack, attackers use a method known as spoofing to impersonate PayPal, leading recipients to a phishing page.
Quick Summary of Attack Target
Platform: Office 365
Mailboxes: More than 10,000
Bypassed Email Security: Ironport
Payload: Malicious Link
What was the attack?
Setup: Because PayPal accounts are linked to credit cards and bank accounts, PayPal itself is a commonly impersonated brand from attackers hoping to steal that information from unsuspecting victims.
Email attack: This email appears to be coming from PayPal (firstname.lastname@example.org, which is a real PayPal domain), telling recipients that their account has been flagged and limited. However, authentication fails for this message and the actual sending domain is ‘dion.ne.jp’, a domain that has no correspondence to PayPal. The attacker is attempting to gain the trust of the recipient by making it appear as though PayPal has sent the email. This method – spoofing a real domain – can deceive the recipient into thinking the email is legitimate and coming from PayPal.
Payload: It may look as though the link that this email contains will take the recipient to paypal.com, but the attacker uses a concealed link in an attempt to fool the recipient. When clicked, the link in the email actually leads the recipient to a phishing page at ‘arferdimpex.biz’. This landing page looks nearly identical to the real paypal.com and asks the recipient to input their email or phone number and password.
Result: If the recipient does click on the concealed link and inputs their credentials into this fake PayPal page, the attacker will have access to their PayPal account and all of the sensitive, personal information inside. The attacker will also be able to access the victim’s personal funds.
Why was this attack effective?
Convincing email and landing page: The attacker’s meticulous work in creating this fake PayPal website makes this attack very effective. The landing page may look nearly identical to the actual website, but the domain, ‘arferdimpex.biz’, is, of course, not a PayPal domain. Without scrutinizing the real email address or the domain, the recipient may not notice that these are not actually from PayPal.
Urgency: Because PayPal is commonly used for payment across the internet, recipients who receive this may try to quickly fix their supposedly flagged and limited account, and therefore overlook signals that this is an email attack.