Security researcher Troy Hunt has come across a new type of spam – $0 invoices from PayPal accounts. These emails evade spam filters as they fail to trigger the typical characteristics of a suspicious email.
Sharing a screencap on his website of an email of dubious origin, Hunt explains how the email managed to get through to him as it is in fact a legitimate PayPal email, just one that asks for no money.
When looking into the email, Hunt said he looked for all the indicators that might show it was real or not, but found the email was from firstname.lastname@example.org, the mail headers were correct and the “View and Pay Invoice” button linked directly to https://www.paypal.com.
So he got in touch with PayPal by email to discuss the situation.
After a conversation with PayPal on the topic, Troy said that, “Without any feedback from PayPal or other evidence to the contrary, it looks like they're serving as the delivery mechanism for spam which, of course, won't be flagged as spam because it's a “legitimate” email from them. The message in the 'invoice' is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system.”
As of yet, PayPal have not found a solution to this problem. Graham Cluley chimed in and recommended that if you get sent a $0 invoice from PayPal to send it to email@example.com.
A PayPal spokesperson got in touch with SC to say that, “This is not an intended use of one of our merchant services and we are taking steps to prevent this from happening.”