I instantly got very suspicious when I received this from PayPal today:
Hello [my name here],
Colin Neal would like to be paid through PayPal.
Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.
Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]
Click the button below to send Colin Neal your payment and see the details of this money request.
[ Pay now! ]
Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!
I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “firstname.lastname@example.org” and not the address I was told to contact. Even more suspicious than the first email!
So I fired off an email from another mail account (not my PayPal mail account) to “email@example.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:
Good afternoon. This is a copy of invoice.
Looking forward your reply. Thanks.
Looking at the actual target of the link, it pointed at a completely different location:
When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:
AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130
This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.
By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.
Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.