Exploiting PayPal's Address Change Function: A New Phishing Scheme

A new phishing scheme has emerged that takes advantage of PayPal's address change feature to bypass server-side spam filters. This tactic is designed to mislead victims into taking hasty actions by highlighting expensive purchases associated with the purported address change.

Reports from cybersecurity sources indicate that users have been receiving emails claiming to be from PayPal, notifying them that a new address has been added to their accounts. These emails often include a brief message confirming the addition of the new address.

The content of the emails suggests that a costly item, such as a MacBook M4 Max, is being shipped to the new address. If recipients did not authorize this change, the emails instruct them to contact a specified phone number. However, this number is linked to the fraudsters, who attempt to convince the callers that their PayPal account has been compromised. They further mislead victims into downloading specific software that supposedly allows them to regain access to their accounts and cancel the alleged transaction.

Upon contacting the fraudulent number, victims are directed to a website that hosts a ConnectWise ScreenConnect client, which grants the attackers remote access to the victim's computer. Such access typically leads to financial theft, malware installation, or the extraction of sensitive data, as noted by cybersecurity analysts.

The phishing emails appear to be authentic, originating from an address that closely resembles PayPal's official communication. They have managed to evade security protocols such as DKIM and spam filters. Additionally, the emails reference 'gift addresses' that the scammers have created within their own PayPal account. By cleverly embedding the scam text into the 'Address 2' field, the emails are structured to closely mimic legitimate communication from PayPal.

To disseminate these emails to a broader audience, the fraudsters have employed another tactic. The email headers indicate that these messages were automatically forwarded from a Microsoft 365 tenant email address. This address likely hosts a mailing list containing the email addresses of potential phishing targets. By using this mailing list, the scammers can send out seemingly authentic phishing emails that circumvent various protective measures.

Experts recommend implementing stricter controls, such as limiting the length of address fields in forms, to prevent the insertion of deceptive text.

Phishing remains one of the most significant online threats. In response, Google has recently introduced new AI-driven features in its Chrome browser to enhance user security while navigating the web.