PayPal is making it too easy for the zero dollar invoice spammers

A security researcher has uncovered a new form of PayPal spam: zero dollar invoices that evades the company's filters and fails to trigger the typical characteristics of a suspicious email.

In a post published on his website last week, Australian security expert Troy Hunt shared an image of a curious PayPal invoice he had received for the mighty sum of... $0.00.

Paypal zero invoice spam

The invoice comes with a note from a "Monika Jackson" that reads as follows:

"Good day, become our family memeber [sic], buy cheap electronics online with us. Please, do not hesitate to visit our online store & subscribe. [URL removed]. Cheap, quality and brand new electronics. Good prices & 3% discount."

Hunt goes on to explain how the email originated from member@paypal.com.au, the mail headers were legitimate, and the "View and Pay Invoice" button linked directly to PayPal's homepage.

PaypalIn the absence of usual spoof email indicators, the researcher tweeted out the image.

After going back and forth with @AskPayPal, PayPal's support team asked the researcher asked to contact the company via a direct message, which led to an equally less-than-productive conversation:

@AskPayPal: Please send us a DM so we can discuss further

@troyhunt: Here is a DM!

@AskPayPal: Can you confirm what email address you received the email from?

@troyhunt: Yes, it came from member@paypal.com.au

@AskPayPal: Do you have an email address for the person invoicing you $0?

@troyhunt: Yes, the one in the screen grab!

@AskPayPal: There is no email address in the screen grab

@troyhunt: Yes there is, here’s a massively zoomed in pic for you

@AskPayPal: I recommend deleting that tweet, it has your personal info

@troyhunt: It has my email address – I get email by sharing it with people who might want to send me email!

As of this writing, PayPal has yet to address the issue. This silence has in part led Hunt to recommend that the web payment company flag as suspicious any and all accounts that send out multiple $0.00 invoices.

"Without any feedback from PayPal or other evidence to the contrary, it looks like they’re serving as the delivery mechanism for spam which, of course, won’t be flagged as spam because it’s a 'legitimate' email from them. The message in the 'invoice' is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system."

Whether PayPal ultimately decides to do anything with these spam emails remains to be seen. But there's nothing preventing customers from trying to move the online payments company in one direction over another.

If you see a $0.00 invoice or other suspicious email from the company, please send it to spoof@paypal.com. You'll be doing all PayPal users a favor.

Update: A PayPal spokesperson has contacted us with the following statement:

"This is not an intended use of one of our merchant services and we are taking steps to prevent this from happening."

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Techno

    January 16, 2016 at 6:54 am #

    I find myself breathing a sigh of relief that at least it isn't delivering a nasty payload. It's quite ingenious, and Paypal can simply suspend their account surely. It also must be a lot of trouble for them, unless they have managed to automate it somehow,

  2. Simon

    January 18, 2016 at 10:29 am #

    Ingenious indeed.

    I'd imagine there be no logical reason to submit a $0.00 invoice and this flaw quashed to begin with. Having said that, I'm no accountant either…

    If this bug is rectified and spammers are keen, they could simply pay $0.01 for every spam email they disguise via PayPal (albeit targeting well-known SMB's or bigger businesses), but they'd have to be pretty desperate… I doubt they'll do this willy nilly.

  3. furriephillips

    January 18, 2016 at 11:48 am #

    How about PayPal's ridiculous SPF record, which allows their domain to be spoofed?

    % host -t TXT paypal.com | grep spf
    paypal.com descriptive text "v=spf1 include:pp._spf.paypal.com include:3ph1._spf.paypal.com include:3ph2._spf.paypal.com include:3ph3._spf.paypal.com include:3ph4._spf.paypal.com include:c._spf.ebay.com ~all"

    % host -t TXT paypal.com.au | grep spf
    paypal.com.au descriptive text "v=spf1 mx include:pp._spf.paypal.com include:3rdparty._spf.paypal.com include:3rdparty1._spf.paypal.com include:3rdparty2._spf.paypal.com include:c._spf.ebay.com ~all"

    It's like they don't give a toss about their customer's safety.

    Just replace "~all" with "-all", to enforce SPF. It's a no-brainer.

  4. Tech-challenged

    January 18, 2016 at 4:28 pm #

    Actual emails from PayPal will Always be addressed to you by name. I get plenty of spam supposedly from PayPal and always forward them to PayPal. Have learned to Never click on links in emails. Instead I click from search links and that is an extra protection since I can't always tell what is spam and what isn't. Haven't gotten this particular email…yet…but will do as I always do and then check my PayPal msgs. Thanx for the warning.

  5. Deb

    January 18, 2016 at 10:40 pm #

    I've never had much success with PayPal support either. They always seem to misunderstand what the problem is, or fail to offer any real help. Usually I just receive some standard boilerplate text that doesn't address the root cause of the issue, and doesn't offer any useful advice. The chat transcript that the author published is quite typical of the conversations that I have had as well.

Leave a Reply