Phishing attacks often start with an email or text message that links to a malicious web site designed to steal sensitive information. However, some instead direct recipients to call a phone number. Despite claiming to belong to a legitimate organization these fake phone numbers are controlled by the criminal. Callers can be tricked into sending money, sensitive information, or giving access to online accounts and devices through persuasive social engineering tactics.
This blog post looks at a recent attack that uses PayPal’s own invoicing service to conduct such a phone-based phishing scam.
Phishing attacks lurking within the legitimate correspondence from familiar brands can be hard to spot. For example, Netcraft investigated the following email, sent with a from address of service@paypal.com:
Calling the phone number (redacted in the above screenshot) confirms the impersonation. The criminal answering the call starts by introducing themselves as a PayPal employee from the billing or cancellation department. They ask the victim to confirm the invoice number, a common tactic designed to create the impression that this is a legitimate interaction, and then progress the scam from there. This could involve:
- trying to gain remote access to the victim’s device, by asking the victim to install a remote desktop application like AnyDesk or TeamViewer
- installing malware (malicious software) on the victim’s device
- tricking the victim into transferring money into a bank account controlled by the criminal
All the while, the criminal collects personal information about the victim that could be used for future attacks or sold to other criminals on the dark web.
In this case, the phone number was suspended within hours of Netcraft alerting the phone company to
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: