How did my post about the PayPal phishing email get 700 boosts lol. Fedi is wild.
Hector Martin
Hector Martin
marcan_at_social.treehouse.systems@momostr.pink
npub1qk9x...azpx
If it ain't broke, I'll fix it! ยท he/him
I'm porting Linux to Apple Silicon Macs at Asahi Linux.
GitHub Sponsors: http://github.com/sponsors/marcan
Patreon: http://patreon.com/marcan
Asahi Linux: https://asahilinux.org
Heh, just got an interesting scam email. It's a payment request from paypal.com for something random that has nothing to do with me.
It's a legitimate email, the body links all go to the right place, the sender is service@paypal.com. It passed all DKIM checks and antispam checks.
The trick? It's not addressed to me. They got PayPal to send a legitimate payment request to a special address which then forwarded the email to me, through Outlook/Microsoft servers before reaching mine (so they have good reputation too).
When you click the payment link, you get a legitimate PayPal login and payment request with this little tagline:
> We'll link fake@address.com to your PayPal account when you log in.
So not only do they not check that the email that the request was sent to is the actual account owner, they will "helpfully" link it in and consider this action as equivalent to an email address ownership confirmation! What are the implications of this? Who knows! Maybe it means they could issue password resets via that address then?
Scary, though I guess not unsurprising security fail from PayPal.