In an effort to steal payment information from unsuspecting users, a group of hackers has been using merchant email accounts to impersonate PayPal for over a month.

About the scam

A recent report from cybersecurity company Avanan revealed that the attackers are using a “Static Expressway” technique to target inboxes. This approach involves sending phishing emails from a commonly recognized domain by creating a merchant account, enabling hackers to bypass spam filters by seeming to come from a legitimate source. As SC Media shares:

“The hackers send the email from PayPal’s domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton. The hackers then leverage legitimate and popular websites to get into inboxes and steal credentials and money.”

In this particular campaign, victims are sent an invoice that appears to be from PayPal, and are encouraged to call to settle their payment – but in reality, the hackers will steal their credit card information.

When discussing the recent attacks, Avanan representative Jeremy Fuchs stated:

“This [kind of attack] can be done on any site that’s trusted and used regularly by end-users…  [and using PayPal and QuickBooks is] particularly clever since they are often used for business invoices… The scam works since static Allow Lists ‘allow’ content from these sites directly from the inbox. It’s a way of condensing the internet for security scanners. You can’t block the whole internet; so you try to figure out what you know is good…

What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user.”

No response from PayPal

Currently, PayPal has not shared whether or not it is taking any actions to shut down these kinds of schemes. Until it does, experts encourage companies to closely monitor their invoices – and if anything looks out of the ordinary, to discuss it with their IT department.