Teejay.blog
November 5th, 2024

Phucking Phishers

cyberstuff

I work in Cybersecurity and see crap like this all the time. So I thought I should share this fairly well-crafted spam/phishing email, how to spot that it's a fake, and what to do if/when you get one.

As you see below, it looks like a legitimate PayPal request for money from some "vendor". It looks like it's coming from a legit sender (they even have the cute little blue checkmark). All the logos look legit, etc.

First half of "PayPal" spam
First half of "PayPal" spam

However, there are a few red flags (from top-to-bottom):

  • They sent it TO a "donotreply" email address; usually things will be sent FROM a "donotreply" address (because emails from companies are usually unmonitored). The TO *should* be my email address.
  • The greeting, "hello, donotreply@...", follows the same mistake as above.
  • If you've used PayPal much at all (I use it at least once per month) the headline would sound odd to you. PayPal doesn't use the verbiage "A small reminder from...". They either send a receipt or "Reminder: ...". This is a small thing, but many small things add up to a large thing.
  • The "Note from CayMay Press" section should be a note from the vendor. Instead this looks like directions from PayPal on what to do with this message.
    • Also, PayPal won't ever automatically proceed with the transaction unless you contact them; they will have either already proceeded with the transaction, or it will be something you previously authorized.
  • The telephone number to reach PayPal is a Hawaii area code (808); I guess the phishers thought it was close enough to a toll-free number (800, 833, 844, 855, etc.) that people won't notice?
    Second half of "PayPal" spam
    Second half of "PayPal" spam
    The thing I found most sneaky though is the link to pay the bill. First, why would I need a link to pay if it's going to process automatically as stated above? Spoiler: it's because they want you to feel a sense of urgency so you won't notice the inconsistencies. But, if you mouse over the "Pay Now" button, you'll see that it will actually take you to the PayPal website.
    URL of "Pay Now" button in spam
    URL of "Pay Now" button in spam
    What they've done is use the "returnUri" parameter to force the page to redirect you somewhere else AFTER you've authenticated on the PayPal site. In this case, it looks like they're taking you directly to the pay request for the amount above. This makes it look like the request was actually sent to you rather than a general request for money that they've redirected you to. Essentially, this is a legitimate money request sent through the PayPal site that you would have clicked "Pay Now" and paid. You would then have little-to-no recourse in getting your money back because it appears you authorized the transaction.  So, what can you do to avoid scams like this?
  1. NEVER click the link in the email. Ever. Never ever. Did I mention NEVER?
    • Also, NEVER open an attachment in an email. Ever. Never ever.
  2. Open a new browser window and visit the website. If this is a legitimate request, you will also have the request there.
  3. If you're *still* not sure, contact the help through the website, not offered in the email.
  4. Delete the email (and/or report as spam if your email platform allows it). Don't engage with the email directly at all.

Be vigilant! Listen to your intuition. If something doesn't seem right, it probably isn't. When in doubt, reach out to the help link on the website, not in the email.