Carding is for Boomers, all hail PayPal-ing me

Phising, the good old social engineering scheme, have been around for ages, yet people still fall for it.

There are different kinds of phishing schemes, depending on the motives of the attacker.

If an attacker is looking for financial gain, he would want to get as quickly as possible some cash.

One of the popular phishing schemes is to get credit card details, after all, who wouldn't want an unlimited credit card to buy all the shit that you don't actually need?

But it is not that easy as it sounds, stolen credit cards that are being actively used are being blocked shortly after a shopping spree, in most cases, the transaction is being canceled and the goods are not being delivered, so no money made this way. Even if the carder managed to get the goods, how many iPhones does one person need? So he tries to sell those to get some cash, but this is getting risky with law enforcement.

Another option is to sell stolen credits cards info and someone else will figure out how to milk the cash out of those cards, but this isn't "big" money:

What if there was a third option, get cash directly from the credit card, that would be sweet, right?

No worries, PayPal.me is here to help!

Thank you PayPal, now "we" don't need to phish for credit cards, no need to setup elaborate kits to fool people, no need to pay for hosting, no need to worry about URL being marked as malicious.

All you need to do, is to send a convincing email with a link to your PayPal.me page to a bunch of people, hoping they will fall for your lure and will try to send to you money, boom!

Unfortunately for carders, victims must have a PayPal account to send money.

I personally know boomers and technophobes with PayPal, so most likely this scheme does work.

It must even work well for PayPal as they don't seem to suspend the accounts that steal money this way.

You might think I am a crazy person, I am, but this irrelevant in this case, let's see some ITW examples and you decide:

This is a nice twist to the classic DHL phishing scheme.

Instead of uploading a phishing kit, the threat actor sends a PayPal.me link, EZ.

This campaign is targeting Israeli citizens, the text is in Hebrew, the title says "can't pay with credit card".

The body says "our team couldn't bill your credit card, please pay customs tax in 48 hours via PayPal to the customs worker, Ori". BTW, Ori is a popular name in Israel, both for boys and girls.

Well, there is an option to report the link to PayPal, shit, I even tried to contact their fraud unit:

Over two weeks passed by, this account is still active, I don't know how much money the threat actor made, but this is definitely some low maintenance operation, the ROI should be great from business perspective.

How about another one?

This is similar to DHL, exelot is some carrier service used by Israel Post, it is less popular.

At some point the PayPal.me link had an image of exelot, but later the threat actor changed the image to Israel Post and sent out a new mail impersonating the Israeli Post office:

Looking at urlscan.io there are hundreds of scans for paypalme, but most of the recent ones are from this phishing campaign:

While looking at the results, I've found another PayPal user associated with this campaign:

https://urlscan.io/result/fd0b388e-6744-43e8-a90b-52cde995aec7/

Once again, the lure is to pay customs to a carrier named aramex.

I would have signed off with my own PayPal.me link to accept "donations", but I fear they will start to check those transaction for frauds sooner or later, hopefully sooner :)

Stay safe.