PayPal malware social engineering

I instantly got very suspicious when I received this from PayPal today:

Hello [my name here],

Colin Neal would like to be paid through PayPal.

Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.

Details

Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]

Click the button below to send Colin Neal your payment and see the details of this money request.

[ Pay now! ]

Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!

I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “pvbkrngkjqo@gmail.com” and not the address I was told to contact. Even more suspicious than the first email!

So I fired off an email from another mail account (not my PayPal mail account) to “kcsystems1@gmail.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:

Good afternoon. This is a copy of invoice.
https://paypal.com/user/files/paypalInvoice_000092419298377.doc

Looking forward your reply. Thanks.

Looking at the actual target of the link, it pointed at a completely different location:

http://myotaku.com.my/system/helper/json/paypalInvoice_000092419298377.doc

When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:

AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130

This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.

By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.

Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.

17 thoughts on “PayPal malware social engineering

  1. Received one of these today and was also suspicious as the email address used is not actually associated to Paypal!

  2. I received this as well from Caleb Ferguson. I logged into my PayPal and canceled the pending transaction but I didn’t contact them. PayPal does that themselves and I too noticed the discrepancies in the email addresses. Just to be safe I also changed my
    Password.

  3. Thank you for this! I have the same message in my email but nothing in my paypal account….can I just leave it alone?

  4. I also received the same email. The strange thing is, I do not have a paypal account. I did at one time with the email they emailed to. I can not even log in to see if the funds are there. I deleted the email. Anything else I should do?

  5. I also received the same email. The strange thing is, I do not have a paypal account. I did at one time with the email they emailed to. I can not even log in to see if the funds are there. I deleted the email. Anything else I should do?

  6. I got this exact same message from an Alexander Parson this morning and assumed it was BS. Glad to see I was right. Thank you for posting this!

  7. I received the same thing this morning from someone named John Parson. When I saw that the e-mail address keyed into the body of the e-mail address was keyed as such: kcsystems1@gmail,com (notice it has a a comma instead of a period after gmail!) and that the information keyed into the actual Pay Pal transaction as follows:
    Request received from
    John Parson
    seqoidqvnw@gmail.com

    Transaction ID
    U-9A585543MD7160816

    was completely different, I logged into PayPal securely and saw that it was an actual transaction requesting payment. I cancelled it through my PayPal account and am warning my family about this scam! Thanks for listing this here!

  8. Got this ~3 hours ago via PayPal today as well. Your post was the first Google result for “kcsystems1”.

    Antonio Warren
    uuvsdmkhgal@gmail.com

    “Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.”

    Related: https://www.paypal-community.com/t5/About-Protections/Is-this-a-scam-or-what/m-p/1136651

  9. I just received this message as well. Thank you for posting this so I could verify it was a scam before clicking on anything 🙂

  10. I recived same massage today. I think PayPal should do something with such kind of froud.

  11. I got one today, too. I put in the email address and found your blog post !
    I called PayPal and they gave me the correct review email address to send the original email to to check. Passing along to all my family and friends:

    Request received from
    Aidan Gilson
    ondwqanskr@gmail.com
    Transaction ID
    U-2P296856S03152937
    Note to Aidan Gilson
    Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.
    Details
    Money request amount$200.00
    Total$200.00

  12. Same here but the dumb ass sent it to an email I don’t have a paypal linked too, so I knew it was a scam,

  13. Just wanted to stop in and thank you for posting this, and all the detective work you did on it. I was also targeted by this scam, and now feel very safe cancelling the request and going on about my life.

Leave a Reply

Your email address will not be published. Required fields are marked *