This PayPal scam exploits new address feature to send out phishing scam emails

New phishing technique discovered abusing PayPal
The attack uses a feature recently added to the payments platform
The goal is to get victims to install remote desktop access software

A sophisticated phishing scam has been spotted abusing PayPal and other services, with the goal of tricking people into granting cybercriminals access to their devices.

Researchers from BleepingComputer who, themselves, received one such phishing email, and decided to investigate further.

The victims would get an email directly from “service@paypal.com” claiming a new address had been added to their account, and that a purchase of a new MacBook M4 laptop was completed. The victims were then invited to call a phone number enclosed with the email, if they wish to cancel the order.

Abusing legitimate services

Obviously, all of this is fake. There is no new address, no MacBook, and the phone number - while active - does not belong to PayPal, but rather to the scammers. The goal is to scare people into rash decisions, calling the phone number to quickly cancel the order. The person on the other side would claim the computer was compromised, and that they needed to install an antivirus to clean it up.

This antivirus is actually a ConnectWise ScreenConnect client, which would grant the attackers total control over the computer. After that, they can steal the data, make actual wire transfers, and more.

One thing that actually isn’t fake is PayPal’s email address. As BleepingComputer discovered, PayPal recently introduced a new feature that allows users to add “gift addresses” to their own profiles. So, in reality, the attackers actually added a new address to their own account.

After adding a new address, PayPal can send a customized notification email. This customization allowed the attackers to add the “You purchased a new MacBook phishing message.”

The notification message was then automatically forwarded to another account which, the publication speculates, is a mailing list that forwarded it to the victims.

PayPal users getting this email can safely ignore it. If you’re still suspicious, navigate directly to paypal.com and check to see if there is a new address added (there isn’t).

Via BleepingComputer

These are the most common PayPal scams around right now - so stay alert
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.