Avanan researchers have found a new way that hackers are taking to get into the inbox: creating fake invoices in PayPal and using the legitimacy of the site to get into the inbox. 

Starting in June 2022, Avanan researchers have seen hackers use PayPal to send malicious invoices and request payments. The hackers send the email from PayPal's domain, using a free PayPal account that they have signed up for, with the email body spoofing brands like Norton. Avanan analyzed how hackers are leveraging legitimate and popular websites to get into inboxes and steal credentials and money. 

According to Avanan, hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end users, which can be done on any site trusted and used regularly by end-users. "PayPal and QuickBooks are particularly clever since they are often used for business invoices. The scam works since static Allow Lists "allow" content from these sites directly from the inbox. It's a way of condensing the internet for security scanners. You can't block the whole internet; so you try to figure out what you know is good. Trusted websites like PayPal often make the cut, even if it is an oft impersonated brand. What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user," Avanan says.

Avanan notified PayPal of this attack on July 19th.

The attack is a reminder of the genius and persistence of threat actors. They continue to build new tactics on existing ones to profit from security loopholes, says Mark Arnold, Vice President, Advisory Services at LARES Consulting. "The ingenuity of attackers reinforces the need for continuous security awareness programs that can arm end users with the knowledge to thwart existing and emerging threats like this one. The list of techniques to conduct credential harvesting will undoubtedly grow. Brand impersonation in combination with Double Spear is the latest entry. Security awareness stewards need to be creative enough and tap into relevant intelligence sources to keep training current in the face of these and similar attacks," Arnold says.

Patrick Harr, CEO at SlashNext, suggests social engineering scams need to be included in phishing training programs. "Training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work-life. However, we hear from users that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well received," Harr explains. "In fact, asking employees to install managed security on their personal devices is also a non-starter. Look for security solutions that protect BYOD users from phishing with complete privacy and the added benefit of protecting the organization."