6 comments

[ 2.9 ms ] story [ 19.2 ms ] thread
Looks like people are receiving emails from a valid PayPal cert.
cert? that's an email. It's quite easy to change the mail from to be anything you want. Have a look on the dmarc fields if you want to be sure. Although I'm pretty sure that paypal always address the customer with their actual name...
Exactly. Need to see DMARC, SPF headers. Email headers are what you want to see. "From: <blah>" without those means nothing, and is trivially spoof-able.
I don't see headers in the twitter post?
It looks like a real PayPal feature they're abusing by inserting their phishing message into a generic message field. They're aiming to get you to call that number

No compromised cert needed