Ask HN: Scam from `service@paypal.com` email, How?

7 points by yonz ↗ HN
I asked GPT4 & dig on mx2.phx.paypal.com matches 66.211.170.88.

Sender IP and SPF: The SPF record indicates that the email was sent from IP 66.211.170.88 and that this IP is a designated sender for paypal.com. This is a good sign, as SPF is a method for domain owners to specify which IPs are allowed to send emails on their behalf. Still, this can be faked in phishing emails, so it isn't an absolute proof.

DKIM Signature: DKIM provides an encryption-based method to validate the authenticity and integrity of a message. The DKIM-Signature indicates that the email is signed and suggests it genuinely came from paypal.com with the signature being verified. This is another positive sign.

DMARC: The DMARC record shows a pass for the email. DMARC builds on SPF and DKIM to give receivers a way to improve and monitor the protection of the domain from fraudulent email. This is another good indication that the email is genuine.

Helo Record: The email identifies itself as coming from mx2.phx.paypal.com. Cross-referencing this with the IP 66.211.170.88 can give more information. Ideally, a DNS lookup on this domain should resolve to this IP, or vice versa. Authentication-Results: spf=pass (sender IP is 66.211.170.88)

smtp.mailfrom=paypal.com; dkim=pass (signature was verified)

header.d=paypal.com;dmarc=pass action=none

header.from=paypal.com;compauth=pass reason=100

Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates

66.211.170.88 as permitted sender) receiver=protection.outlook.com;

client-ip=66.211.170.88; helo=mx2.phx.paypal.com; pr=C

Received: from mx2.phx.paypal.com (66.211.170.88) by

AM7EUR06FT065.mail.protection.outlook.com (10.233.255.252) with Microsoft

SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id

15.20.6723.11 via Frontend Transport; Mon, 21 Aug 2023 14:39:41 +0000

X-IncomingTopHeaderMarker:

OriginalChecksum:D3EF06AD4D210DE94DD4CEF7676ADB33FFADDA146826968760B256614DBA0BB3;UpperCasedChecksum:C166224836B8549C000E1248A8D0B21B268DA10BAE404535ECAE6D2AC1E4F7F4;SizeAsReceived:1198;Count:17

DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;

q=dns/txt; i=@paypal.com; t=1692628775;

h=From:From:Subject:Date:To:MIME-Version:Content-Type;

bh=y3PR47e+bNTQkjaVkSmH1awii6kjs/uhFtgV+UQXT64=;

b=Y75EdoYH0VTDJ+1oaj5hM8Ev5CFNJxLSoLPSF6ICH/o4WEEW1kKZUvQDi63VGPd5

LxThPfH3DOqpW/o/mi8AmnbRaSfuYR2vhSIVYMXghc0VQ4CKD9J06JjDN2IO5M7/

lfWDOrXZJEAbJcSr92SnOucKMwoDngZiB2gy7SJG17187W2zmGjqZAFzNton8ssu

3aM6RRfFS+JxDEpuX3XPxYzQQsczTy2Qn/L28Yl+cJ4/HaV7myzte2OGr0qi+cQw

UEyT8Gd345qdkpxBmBUAk9Tu/Wcb6gQUdm+cDymkdcnPsuOKuW6DBgj47c76Arxw

20exiKh305Upy67mHCHvAA==;

Content-Transfer-Encoding: quoted-printable

Content-Type: text/html; charset="UTF-8"

Date: Mon, 21 Aug 2023 07:39:35 -0700

Message-ID: <53.BB.28950.72773E46@ccg01mail04>

X-PP-REQUESTED-TIME: 1692628766599

X-PP-Email-transmission-Id: 8a9be26e-4030-11ee-bba5-40a6b729312c

PP-Correlation-Id: b2d6ca346679c

*Subject: Invoice from Marquis Pleasants (0084)*

X-MaxCode-Template: RT000238

To: <xxxxxxxxxxxxxxxxxxxxxxx>

From: "service@paypal.com" <service@paypal.com>

X-Email-Type-Id: RT000238

X-PP-Priority: 0-none-true

AMQ-Delivery-Message-Id: nullval

X-XPT-XSL-Name: nullval

X-IncomingHeaderCount: 17

....

X-Microsoft-Antispam: BCL:5;

X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Aug 2023 14:39:41.5613

(UTC)

...

X-Microsoft-Antispam-Mailbox-Delivery:

7 comments

[ 5.7 ms ] story [ 32.0 ms ] thread
How do you know it's not a real email from paypal? And this entire post is a mess, don't just paste a bunch of junk
Couldn't fit it in the 4k char limit. It is for sure a scam and I actually called the number and they have an operating person ready to pretend to be from Hilton. All in all it is the best phishing campaign I have witnessed to date. Even email header verification through email app came through cleam.

Phishing contents: Hello, Suspicious transaction of $399.90 detected. If not done by you contact Fraud Investigation team at +1 (833) 902-0431 to cancel. Service hours(9AM-6PM) Email cs-billings@hilton.com

Here's your invoice Marquis Pleasants sent you an invoice for $399.90 USD

Marquis Pleasants 001 8339020431

You don't have any payments with this seller in the last year.

Don't recognize this invoice?

Report this invoice Before paying, make sure you recognize this invoice. If you don't, report it. Learn more about common security threats and how to spot them. For example, PayPal would never use an invoice or a money request to ask you for your account credentials.

Buy now. Pay over time.

Simply select PayPal Credit at checkout and enjoy No Interest if paid in full in 6 months. Subject to credit approval. See terms. US customers only.

Paypal just lets peole send invoice spam. It's a known problem and apparently won't fix it.

https://news.ycombinator.com/item?id=32511086

Two reasons why its not a proper invoice. 1) I checked the mobile app, web page and any mention of this on my account and it never made it there.

2) The format of the email leads me to question it, the top part has the text: " Hello, Suspicious transaction of $399.90 detected. If not done by you contact Fraud Investigation team at +1 (833) 902-0431 to cancel. Service hours(9AM-6PM) Email cs-billings@hilton.com"

Is there a free HTML text field for sending invoice? And how did the break out of the email box and get to the top. This would be easier with a picture.

The article says that Paypal tried to reduce the specific flavor of fraud that was reported to them, so maybe you could ask them about it.