Blox Tales: PayPal Credential Phishing Using Glitch And GoDaddy

In today’s Blox Tale, we will look at a PayPal credential phishing attack that exploited legitimate services from GoDaddy and Glitch in its phishing flow. The email claimed that the victims’ PayPal account profile was incomplete / out of date and included a link for them to update their profile and restore account access.

Summary

Org mailboxes: ~500

Email Provider: Google Workspace

Techniques used: Social engineering, brand impersonation, replicating existing workflows, using free online services

Fig: Credential phishing attack spoofing a PayPal message and using GoDaddy and Glitch in its phishing flow

The Email

This email claimed to come from PayPal, had ‘No-Reply Paypal’ as the sender name, and was titled ‘New Message from Pay-pal security team’. There are enough grammatical inconsistencies here to cause suspicion, but only if one stops and thinks about the email. The email bears enough surface-level similarity to a real PayPal email to pass the eye tests of unsuspecting victims.

The email claimed that the victim’s PayPal profile was incomplete and posited that it may be because of expired credit/debit card details or an out-of-date physical address. It then includes a link for them to update their profile and restore account access.

A snapshot of the email is given below:

Fig:  Email spoofing a PayPal message stating an issue with the victim’s account profile

The domain of the email sender was ‘secureserver[.]net’, which is the domain on which emails that are hosted by GoDaddy reside. Cybercriminals frequently go through intermediary services like GoDaddy to mask their identity and obfuscate traditional email security detection measures.

The Phishing Page

Clicking the ‘Restore Account Access’ link in the email leads victims to a phishing page resembling the PayPal login portal. This page asks victims for their email / mobile number and PayPal account password.

Fig: Phishing page created using Glitch asking for PayPal account credentials

The parent domain of the phishing page is ‘glitch[.]me’, which means the page was created using Glitch. Glitch is a low-code software that enables people to create web projects in their browsers and “launch it on a secure URL in under a minute”, according to their website. Attackers often exploit services like these - services meant to make work easier but also end up unintentionally lowering the bar for cybercriminals to launch phishing attacks at scale.

Recap of Techniques Used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.

• Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate company (PayPal), and a sense of urgency because it claimed the victim’s PayPal profile had issues, something they would be eager to reverse.
• Brand impersonation: The email has HTML stylings similar to real emails from PayPal. The phishing page is simple but also bears a prima facie similarity to the real PayPal login portal.
• Using security themes: The email used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related.
• Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (correcting issues with a payment account). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
• Exploiting legitimate infrastructure in phishing flow: The email sender domain was hosted on GoDaddy and the phishing page was created using Glitch Editor. Free online services like these make our lives easier, but unfortunately also make it easier for cybercriminals to launch successful phishing attacks. We have also observed attacks exploiting Google Firebase, Box, Google Sites, Typeform, and Quip in a similar manner.

Guidance and Recommendations

1. Augment native email security with additional controls

The email highlighted in this blog got past Google Workspace email security. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is PayPal sending this email to my work account?, Why is PayPal written in three different ways in the email title and body?).

3. Follow MFA and password management best practices

Although we didn’t observe the entire vishing flow for these attacks, vishing call scripts often include attempts to extract victims’ account credentials in addition to their credit card details.

If you haven’t already, implement these hygiene best practices to minimize the impact of your credentials being leaked:

• Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
• Don’t use the same password on multiple sites/accounts.
• Use a password management software like LastPass or 1password to store your account passwords.
• Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
• Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.