A sophisticated phishing campaign targeting PayPal’s massive user base has emerged, utilizing deceptive “Set up your account profile” emails to compromise user accounts through an ingenious secondary user addition scheme.
The attack leverages advanced email spoofing techniques and psychological manipulation tactics to bypass traditional security awareness measures, representing a significant evolution in financial fraud methodologies.
The scam operates through carefully crafted emails that appear to originate from legitimate PayPal addresses such as [email protected] and [email protected].
.webp "Threat Actors Attack PayPal Users in New Account Profile Set up Scam 3")
However, threat actors employ address spoofing techniques that exploit inherent weaknesses in email authentication protocols.
The attackers configure their email clients to display fraudulent sender addresses, taking advantage of the fact that most email systems lack stringent verification mechanisms for “From” field authenticity.
Recipients receive messages claiming detection of a new payment profile with charges of $910.45 USD at Kraken.com, a legitimate cryptocurrency trading platform.
The emails feature authentic PayPal branding and layout elements, likely extracted from genuine PayPal communications.
.webp "Threat Actors Attack PayPal Users in New Account Profile Set up Scam 4")
Malwarebytes analysts noted several critical red flags within these messages, including unusual recipient addresses utilizing compromised domains with “.test-google-a.com” extensions, subject lines misaligned with email content, and absence of personalized greetings that legitimate PayPal communications always include.
Sophisticated Account Takeover Mechanism
The campaign’s most insidious element involves redirecting victims to authentic PayPal infrastructure rather than traditional phishing sites.
When users click the embedded links, they unwittingly initiate PayPal’s legitimate secondary user addition process instead of the expected profile setup or payment dispute resolution.
This technique represents a paradigm shift from conventional phishing approaches, as it exploits PayPal’s own functionality to achieve malicious objectives.
The secondary user addition process grants extensive account privileges, including payment authorization capabilities.
Once successfully added as a secondary user, threat actors gain sufficient access to drain victims’ PayPal balances and conduct unauthorized transactions.
This approach bypasses many traditional anti-phishing measures since the destination URLs resolve to legitimate PayPal domains, making detection significantly more challenging for both automated security systems and end users.
The campaign has reportedly operated for over a month, targeting PayPal’s 434 million active users through databases of email addresses associated with PayPal accounts or previous PayPal interactions.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
