[ale] I'm sure it's a phishing attack, but can't see why?

Jerald Sheets jerald.sheets at gmail.com
Mon Mar 17 08:30:20 EDT 2025 

This is the correct answer.

Lemme open the PayPal Kimono for a minute.

There are three teams that watch this stuff (and exploit this stuff)  Red/Blue/Purple teams PLUS there are 3 SOCs.  One in San Jose, One in Scottsdale, and one in Reno.  The inbound and attempts at passthrough for fraudulent purposes runs between 20 and 40 million attempts daily.

When I was workin gin Infosec up there, the main thing we had to tell customers is this…. If YOU didn’t go to PayPal.com yourself, logged into your account yourself, and then executed an action yourself, then consider it fraudulent.  

Some things you can do to help:  Send a copy to abuse at paypal.com <mailto:abuse at paypal.com>.  This actually gets slurped up into a Redis cluster, gets massaged by URL processing gear, and added to the threat intelligence.  The more you send, the less likely anyone else will be to fall to it because it gets “worked” by red team.  They actually infiltrate on the dark web to buy fraudulent PayPal account lists, and then invalidate them all.  Once the offensive posture was taken by Scottsdale, fraud of this type declined by well over 60%.  If you’re still getting these sorts of things, there may be a new component to the URL, or there may be something that helps them hop the current filters.  Simply report them and don’t do anything at PayPal you personally didn’t login to do.  Just ignore emails entirely, or let one of these emails be the impetus for you to connect to your account independently, and see if your inbox has anything for you.


Jerald Sheets
questy at gmail.com



> On Mar 13, 2025, at 2:16 PM, Phil Turmel via Ale <ale at ale.org> wrote:
> 
> Multi-step attack leveraging throw-away PayPal accounts.
> 
> Step 1: Pretend to be a merchant to get PayPal to send you an invoice for something you presumably ordered.
> 
> Step 1a: You ignore the bogus invoice.
> 
> Step 2: Pretend to be a merchant and file a non-payment complaint for the ignored invoice claiming to have delivered some bogus product.
> 
> ( I get one or two bogus invoices a week.  I use PayPal for certain transactions to *receive* money, but very little sending of money. PayPal's machine learning algorithms seem to be killing off the 2nd step in my cases. )
> 
> On 3/13/25 13:28, dj-Pfulio via Ale wrote:
>> Always check the message header to see where the email originated.
>> On March 13, 2025 12:08:50 PM EDT, Neal Rhodes via Ale <ale at ale.org> wrote:
>>> I got yet another email about an alleged paypal dispute.    Which I deleted.
>>> 
>>> But normally I do just hover over the hyperlinks to confirm they are bogus.
>>> 
>>> And the last couple of these, I just can't see where it goes off the rails.   It just looks ok to me.
>>> 
>>> https://www.paypal.com/us/resolutioncenter/PP-R-YSJ-566648816?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000299&utm_unptid=93f1518f-001e-11f0-b526-c57aab365dc0&ppid=RT000299&cnac=US&rsta=en_US%28en-US%29&unptid=93f1518f-001e-11f0-b526-c57aab365dc0&calc=f695230a25ca0&unp_tpcid=Disputes-PPC001688&page=main%3Aemail%3ART000299&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.314.0&tenant_name=PAYPAL&xt=145585%2C150948%2C104038&link_ref=resolutioncenter_pp-r-ysj-566648816 [1]
>>> 
>>> What am I missing?
>>> 
>>> Links:
>>> ------
>>> [1] https://www.paypal.com/us/resolutioncenter/PP-R-YSJ-566648816?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000299&utm_unptid=93f1518f-001e-11f0-b526-c57aab365dc0&ppid=RT000299&cnac=US&rsta=en_US%28en-US%29&unptid=93f1518f-001e-11f0-b526-c57aab365dc0&calc=f695230a25ca0&unp_tpcid=Disputes-PPC001688&page=main%3Aemail%3ART000299&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.314.0&tenant_name=PAYPAL&xt=145585%2C150948%2C104038&link_ref=resolutioncenter_pp-r-ysj-566648816
>>> 
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



Jerald Sheets
questy at gmail.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20250317/eb21efe8/attachment.htm>

More information about the Ale mailing list