Cybersecurity risks are rapidly changing from simple, poorly written phishing emails that are easy to spot to complex techniques that make use of reliable digital infrastructure. Nowadays, attackers are taking advantage of legitimate business processes in popular platforms, thereby transforming trustworthy services into unintentional partners in financial fraud. Because the emails come from reputable, verified domains rather than spoof addresses, this tactical change makes it much more difficult for traditional security filters to identify malicious communications, leaving end users open to deception.
Learn more about cybersecurity WordPress security plugins. Guidelines for incident response planning This strategy's main tactic is to manipulate the built-in invoicing functionality of services like Apple and PayPal.
In order to create invoices or dispute notifications, bad actors create phony accounts and enter fictitious contact details, particularly scam phone numbers, into user-controlled fields such as "seller notes." These messages appear entirely harmless to automated filters because they are produced by the platforms themselves and contain legitimate digital signatures. Following the appearance of these strategies, Kaseya analysts discovered that, in order to evade detection, this particular malware campaign mainly depends on users' faith in notifications from well-known brands.
This finding reveals a serious weakness in email security: while authentication procedures can verify the sender's identity, they are unable to confirm the content's security. The attackers can create an authentic-looking trap by simply abusing features offered to authorized users, without having to compromise the vendors.
The DKIM Replay Evasion Mechanisms Formally referred to as a DKIM replay attack, the method uses the unique way email authentication protocols work to verify the identity of the sender. The attacker first sends the malicious invoice to their own email address after creating it with their scam number. The email has a legitimate DomainKeys Identified Mail (DKIM) signature because it originates from a vendor such as PayPal.
Learn more about cyber Reports of security vulnerabilities Network of Zero Trust Get access to solutions Using their own lists, the attacker then distributes this exact email to thousands of possible victims. App Store invoice misuse by DKIM replay attack (Source: Kaseya) The original cryptographic signature is still valid after forwarding because it covers both the message body and headers.
Because of this, the malicious email can bypass Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks and enter the victim's inbox without raising any red flags. Learn more about vulnerability scanner software. Software for endpoint detection and response Tools for ethical hacking The content instructs the recipient to call a phony support number in order to obtain private financial information, even though the recipient sees a legitimate email from addresses like "service@paypal[.]com."
DKIM replay attacks were used to abuse a PayPal disputed invoice (Source: Kaseya). Security teams should set up email gateways to check the "To" header for discrepancies between the envelope recipient and the visible header in order to protect against these threats.
Additionally, companies need to teach users to be wary of unsolicited invoices and to confirm claims by going straight to official websites instead of phoning the numbers listed in email notes. X to Get More Instant Updates, Set ZeroOwl as a Preferred Source in Google, and LinkedIn.
.webp%3Fw%3D1068%26resize%3D1068%2C0%26ssl%3D1&w=3840&q=75)