Mastodon

PayPal and zero dollar invoice spam

I got a rather odd invoice via PayPal the other day, it looks like this:

PayPal spam email in a $0 invoice

Naturally the first thing I did was to look for spoof email indicators, but none of the usual suspects were showing up:

  1. It was from member@paypal.com.au
  2. The mail headers were legit
  3. The “View and Pay Invoice” button linked directly to https://www.paypal.com/

Which all struck me as quite odd so I tweeted it out. I suggested that it was spam because that’s exactly what it looks like; whoever owns the email address jabooelec@outlook.com is soliciting visits to skrylcomputers.com and certainly on that page, the logo is consistent with the one in the PayPal email. I subsequently had a very awkward to-and-fro via DM with PayPal:

@AskPayPal: Please send us a DM so we can discuss further

@troyhunt: Here is a DM!

@AskPayPal: Can you confirm what email address you received the email from?

@troyhunt: Yes, it came from member@paypal.com.au

@AskPayPal: Do you have an email address for the person invoicing you $0?

@troyhunt: Yes, the one in the screen grab!

@AskPayPal: There is no email address in the screen grab

@troyhunt: Yes there is, here’s a massively zoomed in pic for you

@AskPayPal: I recommend deleting that tweet, it has your personal info

@troyhunt: It has my email address – I get email by sharing it with people who might want to send me email!

And then they said something along the lines of never having seen this before and they’d review it. And then that is all. Well that was all from PayPal, I did have some follow-ups via Twitter:

Looks exactly the same! And another response:

So in short, without any feedback from PayPal or other evidence to the contrary, it looks like they’re serving as the delivery mechanism for spam which, of course, won’t be flagged as spam because it’s a “legitimate” email from them. The message in the “invoice” is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system.

I assume that there’s either no cost to the sender for a $0 invoice or it’s low enough to justify the upside of the spam. This is one they certainly should get on top of though and allow me to make a suggestion: The same account sending out volumes of $0 invoices is probably something that should raise a red flag!

Security
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals