Cybercriminals are abusing legitimate invoices and dispute notifications from popular services to send scam emails that bypass security filters, according to researchers at Kaseya’s INKY. The attackers have used this technique to impersonate PayPal, Apple, DocuSign, HelloSign, and others.
“These platforms often allow users to enter a ‘seller name’ or add a custom note when creating an invoice or notification,” the researchers write. “Attackers abuse this functionality by inserting scam instructions and a phone number into those user-controlled fields. They then send the resulting invoice or dispute notice to an email address they control, ensuring the malicious content is embedded in a legitimate, vendor-generated message.”
Since the emails themselves are sent from legitimate sources, they’re more likely to land in users’ inboxes. Humans are also more likely to fall for the scam if they see that the messages were sent from trusted vendors.
“Since the message originates directly from the vendor, such as PayPal, and is cryptographically signed, it easily passes DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) checks,” INKY says.
“After receiving the legitimate email, the attacker simply forwards it on to their intended targets. The result is a message that looks authentic, passes email authentication, and arrives in inboxes with little to no warning.”
This technique is known as a “DKIM replay attack,” and allows the emails to bypass security controls.
“A DKIM replay attack occurs when a bad actor captures a legitimate, DKIM-signed email and then ‘replays’ that same message to additional recipients,” the researchers explain. “Since the original headers and message body remain unchanged, the DKIM signature continues to validate. As a result, the email passes DMARC authentication even though it is being redistributed by an attacker rather than delivered by the original sender. To avoid breaking DKIM, attackers intentionally do not modify the message after it has been signed.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Kaseya has the story.
