Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

PayPal cryptocurrency purchase scam

September 20th 2022 in safety and privacy on the Internet

Hi everybody,

I know that I have not written anything for a very, very long time. Life gets busy, other people take up the mantle and write about your most common themes, and things change and move on. It felt like I was writing the same stuff as too many other people.

Anyway, I came across a scam email today which is interesting enough to highlight. Why? Because it’s a legit PayPal email, it was flagged as “from a trusted sender” by Outlook.com, but it is still a scam. Read on and learn…

Here is the text of the message received:

Subject: Estimate from Crypto Currency +1 (888) 328-4524 (0003)
From: service@paypal.com

Message body:
Hello, [deleted]@gmail. com <– This email address does NOT match the recipient email address.
Here's your estimate

Crypto Currency +1 (888) 328-4524 sent you an estimate for $403.00 USD.

[View Your Estimate button linked to legit PayPal URL]

Seller note to customer

Congratulations! On your Purchase of a Crypto Currency using PayPal amount given in the invoice for Any Disputes or to Stop the Payment call us immediately at +1 (888) 328-4524 [Bolding is my emphasis]”.

This is a worry. First, because outlook.com flags the email as from a “trusted sender”. Second, because it is actually a legitimate email from PayPal (sent via mx1.phx.paypal.com (66.211.170.87)).

The only indicators something is wrong, apart from the fact that no estimate had been requested, and the person involved doesn’t buy crypto anyway, is the addressee in the “Hello” line, and reported issues with the phone number:
https://800notes.com/Phone.aspx/1-888-328-4524
https://whocallsme.com/Phone-Number.aspx/8883284524

My advice:

* review all emails carefully, even if your email service provider displays a pretty “trusted sender” banner.
* when you get an invoice from a business that you are currently dealing with, phone them to confirm the payment details are correct in case they have been hacked. A regularly seen trick is where the bad guys hack a legitimate business, and trick business customers into making their invoice payments into a scammer account instead of the business’s real bank account.
* Never respond to unsolicited or unexpected emails. Don’t even click on the ‘accept estimate’ in legit PayPal emails like the one pictured, just to see what happens. You’ll prove that your email address is active, that you’re potentially gullible, and you’ll become more than just a random target grabbed from some mailing list somewhere. Show them that you’re on to them via a snarky response or message and you’ll be seen as a challenge.
* If in doubt, throw it out.

My question: why is there a mismatch between the recipient email address and the email address in the first line of the email subject? It’s the most obvious clue that something is wrong.


Comments are closed.

I saw this today when firing up a Windows 7 VM… interesting… note how the VM was deactivated. Reactivation was completed successfully.

Previous Entry

Archives