[ale] I'm sure it's a phishing attack, but can't see why?

Jim Kinney jim.kinney at gmail.com
Thu Mar 20 21:05:35 EDT 2025 

Nice!!  Glad to hear they do active red/blue team work.

-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*

On Thu, Mar 20, 2025, 8:25 PM Jerald Sheets via Ale <ale at ale.org> wrote:

> This is the correct answer.
>
> Lemme open the PayPal Kimono for a minute.
>
> There are three teams that watch this stuff (and exploit this stuff)
>  Red/Blue/Purple teams PLUS there are 3 SOCs.  One in San Jose, One in
> Scottsdale, and one in Reno.  The inbound and attempts at passthrough for
> fraudulent purposes runs between 20 and 40 million attempts daily.
>
> When I was workin gin Infosec up there, the main thing we had to tell
> customers is this…. If YOU didn’t go to PayPal.com yourself, logged into
> your account yourself, and then executed an action yourself, then consider
> it fraudulent.
>
> Some things you can do to help:  Send a copy to abuse at paypal.com.  This
> actually gets slurped up into a Redis cluster, gets massaged by URL
> processing gear, and added to the threat intelligence.  The more you send,
> the less likely anyone else will be to fall to it because it gets “worked”
> by red team.  They actually infiltrate on the dark web to buy fraudulent
> PayPal account lists, and then invalidate them all.  Once the offensive
> posture was taken by Scottsdale, fraud of this type declined by well over
> 60%.  If you’re still getting these sorts of things, there may be a new
> component to the URL, or there may be something that helps them hop the
> current filters.  Simply report them and don’t do anything at PayPal you
> personally didn’t login to do.  Just ignore emails entirely, or let one of
> these emails be the impetus for you to connect to your account
> independently, and see if your inbox has anything for you.
>
>
> Jerald Sheets
> questy at gmail.com
>
>
>
> On Mar 13, 2025, at 2:16 PM, Phil Turmel via Ale <ale at ale.org> wrote:
>
> Multi-step attack leveraging throw-away PayPal accounts.
>
> Step 1: Pretend to be a merchant to get PayPal to send you an invoice for
> something you presumably ordered.
>
> Step 1a: You ignore the bogus invoice.
>
> Step 2: Pretend to be a merchant and file a non-payment complaint for the
> ignored invoice claiming to have delivered some bogus product.
>
> ( I get one or two bogus invoices a week.  I use PayPal for certain
> transactions to *receive* money, but very little sending of money. PayPal's
> machine learning algorithms seem to be killing off the 2nd step in my
> cases. )
>
> On 3/13/25 13:28, dj-Pfulio via Ale wrote:
>
> Always check the message header to see where the email originated.
> On March 13, 2025 12:08:50 PM EDT, Neal Rhodes via Ale <ale at ale.org>
> wrote:
>
> I got yet another email about an alleged paypal dispute.    Which I
> deleted.
>
> But normally I do just hover over the hyperlinks to confirm they are bogus.
>
> And the last couple of these, I just can't see where it goes off the
> rails.   It just looks ok to me.
>
>
> https://www.paypal.com/us/resolutioncenter/PP-R-YSJ-566648816?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000299&utm_unptid=93f1518f-001e-11f0-b526-c57aab365dc0&ppid=RT000299&cnac=US&rsta=en_US%28en-US%29&unptid=93f1518f-001e-11f0-b526-c57aab365dc0&calc=f695230a25ca0&unp_tpcid=Disputes-PPC001688&page=main%3Aemail%3ART000299&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.314.0&tenant_name=PAYPAL&xt=145585%2C150948%2C104038&link_ref=resolutioncenter_pp-r-ysj-566648816
> [1]
>
> What am I missing?
>
> Links:
> ------
> [1]
> https://www.paypal.com/us/resolutioncenter/PP-R-YSJ-566648816?v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000299&utm_unptid=93f1518f-001e-11f0-b526-c57aab365dc0&ppid=RT000299&cnac=US&rsta=en_US%28en-US%29&unptid=93f1518f-001e-11f0-b526-c57aab365dc0&calc=f695230a25ca0&unp_tpcid=Disputes-PPC001688&page=main%3Aemail%3ART000299&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.314.0&tenant_name=PAYPAL&xt=145585%2C150948%2C104038&link_ref=resolutioncenter_pp-r-ysj-566648816
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
>
>
> Jerald Sheets
> questy at gmail.com
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20250320/fefa7f7c/attachment.htm>

More information about the Ale mailing list