Application security, Threat Management, Incident Response, Network Security, TDR, Threat Management

Paypal users targeted in new angler phishing scam, Proofpoint report

Paypal users are being lured into clicking on a malicious link embedded in a tweet that appears to come from the financial transaction service, according to a report from Proofpoint.

Messages are arriving from two different fraudulent social media customer service accounts in a phishing attack technique dubbed angler phishing, based on the predation characteristic of the anglerfish, which uses a fleshy protruberance on its head to lure in prey.

"In an angler phishing attack, a fake customer-support account promises to help customers, but instead attempts to steal credentials," Proofpoint explained.

The strategy has been used since at least early 2016 targeting several industries, but the majority have focused on customer support accounts for financial services brands, Proofpoint reported.

In this latest campaign, researchers at Proofpoint detected an angler phish attack targeting PayPal users from two fake PayPal Twitter accounts. The tweet encourages recipients to click over to the actual PayPal Twitter account, @PayPal, for assistance in an urgent matter. However, the fraudsters are monitoring the replies on the official PayPal Twitter page in order to sweep up replies to exploit for their attacks.

In addition, when victims receive a reply from the phony PayPal Twitter accounts, they're fooled again as the reply has the PayPal logo emboldened as an account image, and the handle seems official, except it amends the word “Ask” at the beginning of the handle.

Targets are lured into entering their PayPal credentials into the seemingly legitimate, but fake page. The bad actors are thus provided with the personal information they need to gain access to accounts and transfer out funds held there.

​“This type of attack is similar to phishing emails that are often purportedly sent by email carriers such as [online marketing firm] Yodle to customers who are using their email service," Shirley Inscoe, a senior analyst at Aite Group, told SCMagazine in an email on Wednesday. "A consumer receives an email which looks legitimate and appears to be from Yodle, stating they have violated the terms of their email account, and it will be shut down in a number of days. If the consumer feels there is an error, they can click on the link in the email to appeal suspension of their email privileges. Of course, clicking on the link helps the fraudsters gain access to their email credentials and other information they can use to impersonate the consumer."

These types of phishing attacks are gaining in frequency as fraudsters attempt to gain access to consumers' email credentials, Inscoe told SC. "Many consumers use the same online credentials for all online activity, so the credentials themselves are valuable," she said. "This type of scam will continue to grow in popularity so fraudsters can use their email accounts to contact other individuals in the consumer's email network and to communicate with companies they deal with regularly.” 

Proofpoint reported that PayPal is aware of this scam and is working with Twitter to resolve it.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.