A security researcher has uncovered a new form of PayPal spam: zero dollar invoices that evades the company's filters and fails to trigger the typical characteristics of a suspicious email.
In a post published on his website last week, Australian security expert Troy Hunt shared an image of a curious PayPal invoice he had received for the mighty sum of... $0.00.
The invoice comes with a note from a "Monika Jackson" that reads as follows:
"Good day, become our family memeber [sic], buy cheap electronics online with us. Please, do not hesitate to visit our online store & subscribe. [URL removed]. Cheap, quality and brand new electronics. Good prices & 3% discount."
Hunt goes on to explain how the email originated from firstname.lastname@example.org, the mail headers were legitimate, and the "View and Pay Invoice" button linked directly to PayPal's homepage.
In the absence of usual spoof email indicators, the researcher tweeted out the image.
After going back and forth with @AskPayPal, PayPal's support team asked the researcher asked to contact the company via a direct message, which led to an equally less-than-productive conversation:
@AskPayPal: Please send us a DM so we can discuss further
@troyhunt: Here is a DM!
@AskPayPal: Can you confirm what email address you received the email from?
@troyhunt: Yes, it came from email@example.com
@AskPayPal: Do you have an email address for the person invoicing you $0?
@troyhunt: Yes, the one in the screen grab!
@AskPayPal: There is no email address in the screen grab
@troyhunt: Yes there is, here’s a massively zoomed in pic for you
@AskPayPal: I recommend deleting that tweet, it has your personal info
@troyhunt: It has my email address – I get email by sharing it with people who might want to send me email!
As of this writing, PayPal has yet to address the issue. This silence has in part led Hunt to recommend that the web payment company flag as suspicious any and all accounts that send out multiple $0.00 invoices.
"Without any feedback from PayPal or other evidence to the contrary, it looks like they’re serving as the delivery mechanism for spam which, of course, won’t be flagged as spam because it’s a 'legitimate' email from them. The message in the 'invoice' is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system."
Whether PayPal ultimately decides to do anything with these spam emails remains to be seen. But there's nothing preventing customers from trying to move the online payments company in one direction over another.
If you see a $0.00 invoice or other suspicious email from the company, please send it to firstname.lastname@example.org. You'll be doing all PayPal users a favor.
Update: A PayPal spokesperson has contacted us with the following statement:
"This is not an intended use of one of our merchant services and we are taking steps to prevent this from happening."