Forbes contributors publish independent expert analyses and insights.
It seems like all your accounts are under attack right now, which isn't surprising as we fast approach the seasonal holidays. Google, Microsoft, Apple, Amazon and now PayPal users are firmly in the hacking spotlight. The critical warning here is that just because an email arrives from PayPal, that doesn't mean it isn't an attack. Indeed, the PayPal billing subscriptions feature is being abused by hackers to steal your account credentials, money, and control of your smartphone or computer. Here's what you need to know.
Cybercriminals are many things, most of which I cannot repeat here for fear of offending people with my profanity, but stupid isn't generally one of them. Which is why you must secure all your accounts now, use a passkey if possible and ensure you have a strong password that isn't used anywhere else if you cannot. But even that might not be enough, as this latest PayPal user attack has demonstrated. These criminal hackers like to aim high when going low, attacking brands with the biggest user base and thus the greatest chance of tricking the most victims due to sheer volume. PayPal is no stranger to such attacks, and I have reported on many over the course of the year, including the Do Not Pay and the 48 Hours attacks. The common denominator is that they involve tricking the victim into clicking a link, making a phone call or some other nefarious action.
The latest attack methodology, as reported by Bleeping Computer, involves another old favorite, if that's the appropriate phrase, of the scammer: legitimate emails from a vendor or service that deliver a malicious message.
Bleeping Computer was able to precisely identify how the hack operates. It exploited the billing feature that allows sellers to create subscription checkout options. Because PayPal automatically emails a subscriber when a seller pauses a subscription, the scammers took advantage of this by directing the emails to a fake subscriber account, which is actually a mailing list, and then forwarding the messages to all other group members.
"It appears the scammers are either exploiting a flaw in PayPal's handling of subscription metadata or using a method, such as an API or legacy platform not available in all regions, that allows invalid text to be stored in the Customer service URL field," Lawrence Abrams, editor-in-chief at Bleeping Computer, said.
I have reached out to PayPal for a statement, but a spokesperson told Abrams that it was "actively mitigating this matter," and encouraged users to be vigilant online and mindful of unexpected messages. "If customers suspect they are a target of a scam," the PayPal spokesperson said, "we recommend they contact Customer Support directly through the PayPal app or our Contact page for assistance."