New Phishing Scam Uses Authentic PayPal Address: Cyber Security Today February 26, 2025 - Cybersecurity Today

Summary6 min read

Podcast Summary: Cybersecurity Today Episode: New Phishing Scam Uses Authentic PayPal Address
Host: Jim Love
Release Date: February 26, 2025

Introduction

In the February 26, 2025, episode of Cybersecurity Today, host Jim Love delves into the latest cybersecurity threats impacting businesses and individuals alike. The episode covers a spectrum of critical issues, including a massive cryptocurrency heist, Google's shift in authentication methods, a sophisticated botnet attack on Microsoft365 accounts, and a novel PayPal phishing scam. Below is a detailed summary of each segment, enriched with notable quotes and timestamps for reference.

1. Record-Setting Cryptocurrency Heist: The Bybit Breach

Overview: Jim Love opens the episode by discussing a significant cybersecurity incident involving the cryptocurrency exchange Bybit. Approximately $1.5 billion in Ethereum was stolen in what is described as a record-setting cyber heist.

Key Points:

Attack Attribution: The breach has been linked to the North Korean Lazarus Group, notorious for orchestrating substantial cryptocurrency thefts to fund state activities.

"Multiple cybersecurity firms and experts have attributed the heist to the Lazarus Group, a hacking collective with strong ties to the North Korean government." [05:30]
Method of Attack: The attackers manipulated the user interface during a routine transfer from Bybit's cold wallet to a warm wallet. While the UI indicated that funds were sent to the correct address, the underlying smart contract logic redirected the assets to the attackers' address.

"They alter the underlying smart contract logic, redirecting the assets to an address under their control." [07:15]
Possible Compromises: Security firm Check Point suggests that the breach may have involved compromising the devices of multisig signers through malware, phishing, or supply chain attacks.
Bybit's Response: Bybit assures users of the security of their remaining assets and announces that $43 million of the stolen funds have been recovered. The company has also initiated a recovery bug bounty program, offering up to 10% of reclaimed amounts to contributors.

"Bybit has assured its users that their assets remain secure and that the company maintains full solvency." [10:45]
Implications for Digital Asset Security: The incident underscores the vulnerabilities in digital asset platforms, emphasizing the need for continuous advancements in security protocols.

"It highlights the necessity for continuous advancements in security protocols to safeguard against increasingly sophisticated cyber threats." [14:20]

2. Google's Shift from SMS to QR Code Authentication

Overview: The episode transitions to Google's initiative to enhance security by replacing SMS-based multi-factor authentication (MFA) with QR code-based methods.

Key Points:

Reasons for the Change: SMS authentication, introduced in 2011, has been plagued by security vulnerabilities such as interception of messages and SIM swapping attacks.

"SMS based one time passcodes have been a staple for Gmail users. However, the method has faced criticism due to security concerns." [18:05]
Expert Recommendations: In 2016, the National Institute of Standards and Technology (NIST) recommended discontinuing SMS for MFA due to these vulnerabilities.
Financial Implications: SMS-based authentication has also been exploited for traffic pumping schemes, incurring substantial costs for service providers. Elon Musk highlighted that Twitter faced $60 million annually in SMS fees due to such schemes.

"Elon Musk reportedly highlighted this issue in 2024, noting that such schemes cost Twitter $60 million annually in SMS fees." [22:40]
QR Code Implementation: Google plans to implement QR code-based authentication, where users scan a QR code with their smartphone to verify their identity, reducing dependence on insecure SMS channels.

"Users will scan a QR code with their smartphone's camera app to verify their identity." [25:10]
Future of Authentication: While SMS may still be used for certain identity confirmations, the primary authentication process will transition to QR codes, enhancing overall account security.

"This method reduces reliance on potentially vulnerable SMS channels and enhances overall account security." [27:55]

3. Sophisticated Botnet Attack on Microsoft365 Accounts

Overview: Jim Love discusses a large-scale botnet attack targeting Microsoft365 accounts through stealthy password spraying techniques.

Key Points:

Botnet Details: The botnet comprises over 130,000 compromised devices executing password spraying attacks that exploit non-interactive sign-ins with basic authentication.

"A botnet comprising over 130,000 compromised devices is executing a large scale password spraying attack against Microsoft365 accounts." [31:20]
Mechanism of Attack: By leveraging non-interactive sign-ins, attackers bypass multi-factor authentication (MFA) and evade detection. These sign-ins operate in the background, often unnoticed by users and security teams.

"Non interactive sign ins operate in the background to keep users logged in... but those that pass just a text for a login are inherently insecure." [33:45]
Infrastructure: The botnet uses command and control servers hosted in the United States with proxies linked to China, utilizing stolen credentials from infostealer logs to target M365 accounts.

"The infrastructure supporting this botnet includes command and control servers hosted in the United States with proxies operated through cloud providers linked to China." [36:10]
Security Recommendations: Security Scorecard urges operators of M365 tenants to verify if they are affected and rotate credentials for any compromised accounts.

"We encourage anyone operating an M365 tenant to immediately verify whether they're affected and if so, to rotate credentials belonging to any organization accounts in the logs." [39:00]
Microsoft's Response: Microsoft has been transitioning away from basic authentication since 2021 and plans to fully replace it by September 2025.

"Microsoft, who began replacing basic authentication in 2021, say they will have it fully replaced by September 2025." [40:30]

4. Emerging PayPal Phishing Scam Leveraging Authentic Addresses

Overview: The final segment covers a new phishing scam that exploits PayPal's address feature to send authentic-looking phishing emails to unsuspecting users.

Key Points:

Scam Technique: Scammers log into their own PayPal accounts, add a new shipping address with fraudulent messages about high-value purchases, and include a scam-controlled phone number. PayPal sends a legitimate confirmation email, which scammers then forward to potential victims.

"Scammers log into their own PayPal accounts and they add a new shipping address in the address fields... include a phone number controlled by the scammer." [44:15]
Email Forwarding: The confirmation emails, appearing to come directly from PayPal, bypass spam filters and other protections, making them appear authentic to recipients.

"Since the original email comes directly from PayPal's servers, it now appears authentic and bypasses spam filters and other protection." [47:50]
Victim Interaction: Recipients, believing their accounts have been compromised, call the provided phone number. Scammers then gain remote access to the victim's device under the guise of assisting with account security.
Preventative Measures: Jim emphasizes the importance of cybersecurity vigilance, advising against using phone numbers provided in unsolicited emails or following links within them. Users should always access services directly through official apps or websites.

"You never use the number provided in an email, nor do you follow a link in an email. You always go back directly to the real app or service." [53:30]

"Validate twice before you do anything. And if it feels vaguely uncomfortable, validate again." [55:00]

Conclusion

Jim Love wraps up the episode by reiterating the importance of staying vigilant against evolving cybersecurity threats. From monumental cryptocurrency heists to sophisticated phishing scams, the landscape is increasingly perilous. The episode serves as a crucial reminder for businesses and individuals to continuously update and scrutinize their security measures to safeguard against these advanced cyber threats.

"Validate twice before you do anything. And if it feels vaguely uncomfortable, validate again." [56:20]

Jim also announces his temporary absence due to a holiday but assures listeners of his return with more insightful discussions on March 5th.

Key Takeaways:

Cryptocurrency Security: Even platforms employing advanced security measures like cold wallets and multi-signature authorization are vulnerable to highly sophisticated attacks. Continuous advancements and proactive measures are essential.
Authentication Methods: Transitioning from SMS to more secure methods like QR codes can significantly mitigate risks associated with MFA vulnerabilities.
Botnet Defense: Organizations using Microsoft365 should urgently assess their security postures, especially concerning non-interactive sign-ins, and expedite the phasing out of basic authentication.
Phishing Awareness: Innovative phishing scams leveraging authentic communication channels underscore the need for heightened user awareness and strict adherence to cybersecurity best practices.

Stay Informed: For more updates and detailed discussions on cybersecurity threats and defenses, subscribe to Cybersecurity Today and stay ahead in the ever-evolving digital landscape.

Loading summary

Transcript1 lines

[00:01]
Jim Love
Hey, just a heads up, I'm off on holiday for the next week. I have a long weekend of nothing but playing and writing music. I should have the weekend show pre recorded but there will be no Friday or Monday podcast. I'll be back on March 5th with our regular show 1.5 billion bybit heist attributed to North Korean Lazarus Group Google replaces SMS authentication with QR codes to enhance security massive botnet targets Microsoft365 accounts with stealthy password spraying attacks and scammers exploit PayPal's new address feature to send phishing emails. This is Cybersecurity Today. I'm your host Jim Love. In a record setting Cyber Heist, approximately $1.5 billion in Ethereum was stolen from the cryptocurrency exchange Bybit. Investigations have linked the attack to North Korea's notorious Lazarus Group. The breach occurred during a routine transfer of Ethereum from Bybit's cold wallet to a warm wallet. Now for those who don't know, and I might be oversimplifying, cold wallets are offline storage, often kept isolated from the Internet, except for transfers of this type to the warm wallets that are used for regular transactions. Now, somehow the attackers manipulated the user interface, making it appear that the funds were being sent to the correct address. But they alter the underlying smart contract logic, redirecting the assets to an address under their control. Security firm Check Point suggests that the hackers might have compromised devices of multisig signers, those authorized to approve transactions, possibly through malware, phishing or even supply chain attacks. Bybit has assured its users that their assets remain secure and that the company maintains full solvency. To date, nearly $43 million of the stolen funds have been recovered, thanks to the SW action of various cryptocurrency services who froze the illicit assets. And Bybit has also launched a recovery bug bounty program, offering up to 10% of the reclaimed amount to individuals who assist in retrieving the stolen funds. Multiple cybersecurity firms and experts have attributed the heist to the Lazarus Group, a hacking collective with strong ties to the North Korean government. This group has a notorious history of executing significant cryptocurrency thefts, often to fund state activities. So this incident underscores the vulnerabilities inherent in digital asset platforms, even those employing cold wallets and multi signature authorization. It highlights the necessity for continuous advancements in security protocols to safeguard against increasingly sophisticated cyber threats. Not only do these exchanges have to revisit their security infrastructure, the speed at which these stolen assets can be transferred, and Laundered requires some means of ensuring collaboration and maybe even policing these various exchanges. Google is phasing out SMS text messages for multi factor authentication in favor of more secure QR codes. The change aims to address the security vulnerabilities associated with SMS based authentication. Introduced in 2011, SMS based one time passcodes have been a staple for Gmail users. However, the method has faced criticism due to security concerns. Attackers have exploited weaknesses in the signaling system 7 protocol to intercept SMS messages and SIM swapping attacks have allowed fraudsters to hijack phone numbers, gaining unauthorized access to accounts. In 2016, the National Institute of Standards and Technology or NIST, recommended discontinuing SMS for multi factor authentication due to these vulnerabilities. Beyond security issues, SMS authentication has been susceptible to traffic pumping schemes. In these scams, malicious actors generate unnecessary SMS messages to numbers they control, incurring significant costs for service providers. Elon Musk reportedly highlighted this issue in 2024, noting that such schemes cost Twitter $60 million annually in SMS fees. So to combat these challenges, Google will implement QR code based authentication over the next few months. Instead of receiving a six digit code via sms, users will scan a QR code with their smartphone's camera app to verify their identity. This method reduces reliance on potentially vulnerable SMS channels and enhances overall account security. While SMS may still be used in certain scenarios for identity confirmation, the primary authentication process will transition to QR codes. A botnet comprising over 130,000 compromised devices is executing a large scale password spraying attack against Microsoft365 accounts exploiting non interactive sign ins with basic authentication. This allows attackers to bypass multi factor authentication and evade detection by security teams. Non interactive sign ins operate in the background to keep users logged in for things like mobile applications, web applications and across multiple web pages and even desktop apps that require continuous access to cloud resources. We don't see them and we don't think about them, but those that pass just a text for a login are inherently insecure and password spraying involves attempting common passwords across numerous accounts, aiming to gain unauthorized access without triggering account lockouts. Now, by utilizing these non interactive sign ins, the process where automated systems authenticate without direct user input, attackers can perform high volume attempts undetected. The tactic is particularly concerning as it can bypass MFA and conditional access policies even in well secured environments. The infrastructure supporting this botnet includes command and control servers hosted in the United States with proxies operated through cloud providers linked to China. The botnet systematically uses stolen credentials from infostealer logs to target a wide range of M365 accounts, minimizing account lockouts while maximizing the probability of compromise. Security Scorecard, who detected and reported this activity after inspecting the failed login says, as we have seen direct evidence of this behavior in our non interactive sign in logs, we encourage Anyone operating an M365 tenant to immediately verify whether they're affected and if so, to rotate credentials belonging to any organization accounts in the logs. Microsoft, who began replacing basic authentication in 2021, say they will have it fully replaced by September 2025. Cybercriminals have found a way to misuse PayPal's new address feature, sending legitimate looking emails from serviceay to unsuspecting users. In fact, they use this actual address to get by automated checking, these emails falsely confirm the addition of a new shipping address and mention a high value purchase. An example is usually something like a MacBook M4. That's enough to get people concerned, and recipients are urged to call a provided phone number if they did not authorize the transaction. When you get the person on the line, you'd be tricked into downloading a software program, which leads to your eventual compromise. But how do they do this? The folks at Bleeping Computer dug into it and found that scammers log into their own PayPal accounts and they add a new shipping address in the address fields. They insert the fraudulent message about high value purchase and include a phone number controlled by the scammer. PayPal automatically sends a confirmation email to the scammer's registered email address acknowledging the addition of the new address. Now here's where they've been really clever. The scammer's email account is set to automatically forward confirmation emails to a mailing list of potential victims. Now, since the original email comes directly from PayPal's servers, it now appears authentic and bypasses spam filters and other protection. Concerned recipients, believing their account has been compromised, call the provided phone number. Then scammers use that to gain remote access to the victim's device under the guise of assisting with account security. Now this is a pretty tough one to spot, but it could be avoided if proper cybersecurity vigilance was in place. Our colleagues need to be trained. You never use the number provided in an email, nor do you follow a link in an email. You always go back directly to the real app or service. And of course, nobody should ever be allowed to be talked into loading software onto their machine unless they are absolutely certain it's legitimate. There's a saying in carpentry which is measure twice, cut once. And that maybe could be applied to cybersecurity. Validate twice before you do anything. And if it feels vaguely uncomfortable, validate again. And that's our show. Remember, I'll be off till mid next week, but I'll talk to you again next Wednesday morning. Fresh and back from the land of rock and roll. I'm your host, Jim Love. Thanks for listening.

Podcast Summary: Cybersecurity Today Episode: New Phishing Scam Uses Authentic PayPal Address
Host: Jim Love
Release Date: February 26, 2025

Introduction

1. Record-Setting Cryptocurrency Heist: The Bybit Breach

Key Points:

Attack Attribution: The breach has been linked to the North Korean Lazarus Group, notorious for orchestrating substantial cryptocurrency thefts to fund state activities.

"Multiple cybersecurity firms and experts have attributed the heist to the Lazarus Group, a hacking collective with strong ties to the North Korean government." [05:30]
Method of Attack: The attackers manipulated the user interface during a routine transfer from Bybit's cold wallet to a warm wallet. While the UI indicated that funds were sent to the correct address, the underlying smart contract logic redirected the assets to the attackers' address.

"They alter the underlying smart contract logic, redirecting the assets to an address under their control." [07:15]
Possible Compromises: Security firm Check Point suggests that the breach may have involved compromising the devices of multisig signers through malware, phishing, or supply chain attacks.
Bybit's Response: Bybit assures users of the security of their remaining assets and announces that $43 million of the stolen funds have been recovered. The company has also initiated a recovery bug bounty program, offering up to 10% of reclaimed amounts to contributors.

"Bybit has assured its users that their assets remain secure and that the company maintains full solvency." [10:45]
Implications for Digital Asset Security: The incident underscores the vulnerabilities in digital asset platforms, emphasizing the need for continuous advancements in security protocols.

"It highlights the necessity for continuous advancements in security protocols to safeguard against increasingly sophisticated cyber threats." [14:20]

2. Google's Shift from SMS to QR Code Authentication

Overview: The episode transitions to Google's initiative to enhance security by replacing SMS-based multi-factor authentication (MFA) with QR code-based methods.

Key Points:

Reasons for the Change: SMS authentication, introduced in 2011, has been plagued by security vulnerabilities such as interception of messages and SIM swapping attacks.

"SMS based one time passcodes have been a staple for Gmail users. However, the method has faced criticism due to security concerns." [18:05]
Expert Recommendations: In 2016, the National Institute of Standards and Technology (NIST) recommended discontinuing SMS for MFA due to these vulnerabilities.
Financial Implications: SMS-based authentication has also been exploited for traffic pumping schemes, incurring substantial costs for service providers. Elon Musk highlighted that Twitter faced $60 million annually in SMS fees due to such schemes.

"Elon Musk reportedly highlighted this issue in 2024, noting that such schemes cost Twitter $60 million annually in SMS fees." [22:40]
QR Code Implementation: Google plans to implement QR code-based authentication, where users scan a QR code with their smartphone to verify their identity, reducing dependence on insecure SMS channels.

"Users will scan a QR code with their smartphone's camera app to verify their identity." [25:10]
Future of Authentication: While SMS may still be used for certain identity confirmations, the primary authentication process will transition to QR codes, enhancing overall account security.

"This method reduces reliance on potentially vulnerable SMS channels and enhances overall account security." [27:55]

3. Sophisticated Botnet Attack on Microsoft365 Accounts

Overview: Jim Love discusses a large-scale botnet attack targeting Microsoft365 accounts through stealthy password spraying techniques.

Key Points:

Botnet Details: The botnet comprises over 130,000 compromised devices executing password spraying attacks that exploit non-interactive sign-ins with basic authentication.

"A botnet comprising over 130,000 compromised devices is executing a large scale password spraying attack against Microsoft365 accounts." [31:20]
Mechanism of Attack: By leveraging non-interactive sign-ins, attackers bypass multi-factor authentication (MFA) and evade detection. These sign-ins operate in the background, often unnoticed by users and security teams.

"Non interactive sign ins operate in the background to keep users logged in... but those that pass just a text for a login are inherently insecure." [33:45]
Infrastructure: The botnet uses command and control servers hosted in the United States with proxies linked to China, utilizing stolen credentials from infostealer logs to target M365 accounts.

"The infrastructure supporting this botnet includes command and control servers hosted in the United States with proxies operated through cloud providers linked to China." [36:10]
Security Recommendations: Security Scorecard urges operators of M365 tenants to verify if they are affected and rotate credentials for any compromised accounts.

"We encourage anyone operating an M365 tenant to immediately verify whether they're affected and if so, to rotate credentials belonging to any organization accounts in the logs." [39:00]
Microsoft's Response: Microsoft has been transitioning away from basic authentication since 2021 and plans to fully replace it by September 2025.

"Microsoft, who began replacing basic authentication in 2021, say they will have it fully replaced by September 2025." [40:30]

4. Emerging PayPal Phishing Scam Leveraging Authentic Addresses

Overview: The final segment covers a new phishing scam that exploits PayPal's address feature to send authentic-looking phishing emails to unsuspecting users.

Key Points:

Scam Technique: Scammers log into their own PayPal accounts, add a new shipping address with fraudulent messages about high-value purchases, and include a scam-controlled phone number. PayPal sends a legitimate confirmation email, which scammers then forward to potential victims.

"Scammers log into their own PayPal accounts and they add a new shipping address in the address fields... include a phone number controlled by the scammer." [44:15]
Email Forwarding: The confirmation emails, appearing to come directly from PayPal, bypass spam filters and other protections, making them appear authentic to recipients.

"Since the original email comes directly from PayPal's servers, it now appears authentic and bypasses spam filters and other protection." [47:50]
Victim Interaction: Recipients, believing their accounts have been compromised, call the provided phone number. Scammers then gain remote access to the victim's device under the guise of assisting with account security.
Preventative Measures: Jim emphasizes the importance of cybersecurity vigilance, advising against using phone numbers provided in unsolicited emails or following links within them. Users should always access services directly through official apps or websites.

"You never use the number provided in an email, nor do you follow a link in an email. You always go back directly to the real app or service." [53:30]

"Validate twice before you do anything. And if it feels vaguely uncomfortable, validate again." [55:00]

Conclusion

"Validate twice before you do anything. And if it feels vaguely uncomfortable, validate again." [56:20]

Jim also announces his temporary absence due to a holiday but assures listeners of his return with more insightful discussions on March 5th.

Key Takeaways:

Cryptocurrency Security: Even platforms employing advanced security measures like cold wallets and multi-signature authorization are vulnerable to highly sophisticated attacks. Continuous advancements and proactive measures are essential.
Authentication Methods: Transitioning from SMS to more secure methods like QR codes can significantly mitigate risks associated with MFA vulnerabilities.
Botnet Defense: Organizations using Microsoft365 should urgently assess their security postures, especially concerning non-interactive sign-ins, and expedite the phasing out of basic authentication.
Phishing Awareness: Innovative phishing scams leveraging authentic communication channels underscore the need for heightened user awareness and strict adherence to cybersecurity best practices.

Stay Informed: For more updates and detailed discussions on cybersecurity threats and defenses, subscribe to Cybersecurity Today and stay ahead in the ever-evolving digital landscape.