Everyone who uses PayPal service for their online payments has at least once received an e-mail pretending to be from the official PayPal support, stating that an unauthorized payment has been made out of the account. Most of these e-mails are fake and quite easy to recognize.
The Scheme
This time though hackers have put all of their engineering skills to full extent and receiving such e-mails may be taken seriously from users. They look quite genuine, and somebody who is not using much their PayPal account can really fall for them. What the messages usually state is that an unauthorized third-party has been using the account for various payments. Users can also be lead to believe that the payment records have been assigned to their account by mistake.
The subject of the messages states: “Receipt for your payment to Apple Store Australia”. The text in the body consists of an invoice for a payment made in favor of an Apple store in Australia at the amount of AUD 158 / EUR 108 / USD 136. At the end of the invoice, there is a link for users to dispute this payment and to stop the transaction.
This is a classic phishing scheme – leading the user to believe that something went wrong and giving him the option to fix the situation.
How the Information Is Extracted
In this particular case, apart from the fairly original-looking financial document and PayPal graphic images, the message also says that the link the user needs to lead in order to dispute the payment is encrypted and secure. Apart from the fact that it’s not.
Leading the link the user lands on a false page. It requires information on their PayPal account, like username and password, again stating that thus they dispute the transaction. If the user provides that information he is being lead to a second page, asking for even further details, just to confirm the user’s identity as it says. All of the information provided is being sent to the hackers of course. Unless the user has activated a 2-step verification method including mobile phone number for their PayPal, all the crooks will need are the simple username (e-mail) and password.
But don’t be fooled – the hackers can bypass the 2-step verification method as well. That’s why there is a second page, asking for more information as explained above. The information is used for further verification when entering PayPal and can be enough for them to enter. If they state that they have forgotten the password and wish to change it by giving an answer to the account’s secret question for example.
Protection
The only hint for the user to recognize such messages is that there is no username used in it while PayPal always send messages addressing their customers by name.
Another way to protect yourself is to enter your account apart from the message by manually typing the PayPal web-site link in a different browser tab and check the account balance of course.
