Fake Norton and Paypal invoices
(but very real phishing attempts)
The creativity of Internet fraudsters provides us with ever-changing examples of potentially dangerous attempts to defraud you of your hard-earned cash. With a minimum of observation, while keeping your cool, the large majority of these attempts can be unmasked as wild shots-in-the-dark by not-so-clever, not-so-bright would-be fraudsters, hackers and thiefs.
For example, today I received an e-mail with the following text:
From: Chang Angeline <leahousentid6@gmail.com>
Subject: Invoice Update: Order YC-NFRXC-50236
Dear customer,
We are pleased to confirm the receipt of your order (UZDNRUYOF857TA). Your subscription has been automatically renewed for uninterrupted service. Details are provided in the attached PDF.
The Purchase ID is NK1-38515/22.
Your client ID is 537963605.
Warm regards,
Customer Support Group
Already in this message we see several reasons for not trusting any of the contents:
Who is Angeline Chang? Never heard the name before.
From which company? None is mentioned in the e-mail.
Why is "Angeline Chang" sending apparent company mail from a private Gmail address? Easy, this is because any fraudster can get such an address for free in seconds.
What order YC-NFRXC-50236? I placed no order anywhere with this number. And why does the order number suddely become UZDNRUYOF857TA in the text of the e-mail? Because both order numbers are imaginary, simply typed by randomly hitting a few keyboard keys.
What purchase ID? What client ID? Again, more random imaginary numbers.
What customer support group? Again, no identifiable information. Why? Because leaving out any identifiable information helps the message to pass through the spam filters.
Note that the PDF contains a barely visible watermark at the bottom right of the image, probably unnoticed by the fraudsters in their hurry to get the job done. Let's do some simple image enhancement:
"Converted to HTML with WordToHTML.net" is easily read. https://WordToHTML.net is a free online service to (among other things) convert a variety of documents to the binary format used by e-mail attachment. It is therefore an ideal resource to help low-budget hackers in their not-so-clever fraud attempts. BUT they did not realize that this free service comes at a price, in the form of an unobtrusive but still detectable watermark.
And the source code of the e-mail, which contains some further information of interest. I will not discuss it here, but you can peruse it if you are technically oriented (it does contain further giveaways). Of course I blanked out some of my personal information in this listing and the above images.
Delivered-To: XXXXXXXX@gmail.com
Received: by 2002:a05:6a11:7a1:b0:530:4f8b:3589 with SMTP id nt33csp351535pxb;
Thu, 22 Feb 2024 06:17:17 -0800 (PST)
X-Received: by 2002:a05:6512:e99:b0:512:bdd3:150d with SMTP id bi25-20020a0565120e9900b00512bdd3150dmr8039049lfb.52.1708611436706;
Thu, 22 Feb 2024 06:17:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1708611436; cv=none;
d=google.com; s=arc-20160816;
b=js260wXByIPeBDTWb5FNU7I9PO7peMjG53lT1Qu5HTSpswB954QVXaGd/QGGgLk9Rp
PGwvJayzBfHk8Q3i7gWYFYZfhqFL6yXLNv4C+Twy3FmMTrb0nMgSiSV8tL3JB4IWiIO6
5bagXLXL36cDePhX183zF80fnES1rj9weyuoyzwAonBXvQY26/lNYjxGCRPFCOXaYxZ/
8fQvN+dUGUYmat4P4dsp9KCTzl7cYCFZUiq1/VRNuN3xOonYJqDz4sIuCdZKubOqceXb
7enHO+pcTWsRxhOxe1hNBSUdhAdrzv1E0lDgRV4Fn0Vw/EYKPFKf7McXNyVR5TA60pIa
DXeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:subject:message-id:date:mime-version:importance:from
:dkim-signature;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
fh=yXFbyrpXSIf/QsE81cvTU1wdR0Hw6cxZntGnvHy1bgA=;
b=Vqicx0h/QjougoWmeWZeIIhbHsjmUdS+efaW3xC4bkck9EC4h30BKZnpBLJJbls/8T
++RrXOmWXwohEpWrXopxigbmaCdShAuZmCCcmYPrLpPAWUAqwH1tlZaIWU1B5RzpZ/rG
/rCBzHG28nd270G0a9NrKfw2n3V1/QCebAEH/g+y8u954Ptq6lLTknxkJH0KNjBxTpBX
7tovWdTgUT324u036CV1oeZQ8tEAEgdWL+NmchWMDVIcrRcJ3X8H6n2yJsxT6NMjzuSt
jbbwWRHiWIYw1JcX9vXIIf9cqUV1bZUfYKOFs4fNUDQhcySeVddiv02VKRow4swDVsIg
ktGw==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=V3zSjsiF;
spf=pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=leahousentid6@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <leahousentid6@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id y15-20020a19914f000000b00512cca8fa9asor1323050lfj.8.2024.02.22.06.17.16
for <esava1953@gmail.com>
(Google Transport Security);
Thu, 22 Feb 2024 06:17:16 -0800 (PST)
Received-SPF: pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=V3zSjsiF;
spf=pass (google.com: domain of leahousentid6@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=leahousentid6@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1708611436; x=1709216236; dara=google.com;
h=to:subject:message-id:date:mime-version:importance:from:from:to:cc
:subject:date:message-id:reply-to;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
b=V3zSjsiF8WrXdpbybsi21vtq3X6acOm88dvaZvui+VFYR/8ObPTIB6C7Y7zf2PGCPp
fKVg1hjyL3bD1u0pxS3olPj32tFIrRC8x/9FkE4DYJfDhjFJsZH9AxJ1WnoGEdQ7AyR5
kc69wte5CLHsRdwRPZltnLhwDPi3NDY4lOioxXfNIIEcIa0n5er4XPDjqk+D4d/rbXCF
dIjKL/m0+jx6Ca4KvBZWJEc1V6XHQSFmtJJV2ZD1+gNUPP/wtfCgxf1+6o2uG/Bauvia
/F6X4V+EYt2uUlLj3GDzEUHso7OBvBNGRA5U9jrvmG0i2zZ/xH9/Yc3y3F/aRApsh1/K
/aJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1708611436; x=1709216236;
h=to:subject:message-id:date:mime-version:importance:from
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=T+TYxx19hW+lBzPKhPccU4uR8W0K6GtdjfwFUOk2p3w=;
b=qxlhOOm/SjbyoC5Vmly/RHVQxLyXPW3weqaBluBJNLYKVu0NBXByfiGnHfa2xWP4Q8
3RSupfWeE6QNCMwbv2lmsjRXBrVYMHSuYbEdt3ucQeyiMmahFYLtX79/K1FDeGJ4Bm+Z
YohUQhXT5WqOkkfBDKXsUJ5TT6saamjHOnkVQvd7t/QETlJiD4CH1YcsKH47XY6p+MGB
Qu8JxSneXqF7B43VOPD6qWjO3vOCC15+a8b/ThmoHkbjAHWk8V6K0NCYBobjXZQuuLiV
4PCHhCOVzUF1KijlknnY8k5JfhgTzVxb1R34JDGk/kJGJ3juo9ObvE3mIiyqqAhqAJAo
xpsA==
X-Gm-Message-State: AOJu0Yyj6FaAAQEKBO3aQ41YPgDr9fCMRZOoJCoUJN2k9BJuz93D5M0b
0wVD+ih0DXRwg1GTxNm7eO2u7AZNZ/Grfcyp5Zu+MBlaB95V3UprvsbFjATtgIkfDE3cBBj0Dxp
uW3O4UzDtdODcnA90TUo4kXX4dGSpFAYZU+N2Rg==
X-Google-Smtp-Source: AGHT+IGw2kdHPv42G0Qh6AUs+VPjBqT6tm5gLhOG8Gaok5UBHiwaVkIAzztUBBhFhuotBElKaTVhQiA6b9cGqIi0FrU=
X-Received: by 2002:a05:6512:3445:b0:512:a885:c377 with SMTP id
j5-20020a056512344500b00512a885c377mr8206407lfr.60.1708611435682; Thu, 22 Feb
2024 06:17:15 -0800 (PST)
Received: from 527389738259 named unknown by gmailapi.google.com with
HTTPREST; Thu, 22 Feb 2024 06:17:14 -0800
From: Chang Angeline <leahousentid6@gmail.com>
X-MyCustomHeader: 7e867821-d99e-432d-9f93-f88d7831708f
X-Priority: 1
Importance: high
MIME-Version: 1.0
Date: Thu, 22 Feb 2024 06:17:14 -0800
Message-ID: <CAD36Rtw7hnypH2Stp-K4De8-fxTw=N--WpPDBfPauK7a1BLpGQ@mail.gmail.com>
Subject: Invoice Update: Order YC-NFRXC-50236
To: XXXXXXXX@gmail.com
Content-Type: multipart/mixed; boundary="000000000000af017d0611f919fe"
The rest of the message source contains as an attachment the PDF file seen above, which in turn only contains an image of the invoice (no renderable text, to make it more difficult for automated spam filters to identify this message as such).
A simple Google search brings us to the Norton LifeLock support web site, which has an entire section dedicated to scams involving fake Norton invoices. I am taking the liberty of copying a small part of their page below, which among other things contains a remarkably similar fake invoice:
The Norton web page says it all already. No one is charging you hundreds of US $ for a purchase you did not make. No one will be able to draw any money from your bank account unless you actively allow it. Simply ignore this fake invoice, block the sender of these e-mails, report the sender to Gmail (you only need a couple of mouse clicks on the Gmail web site, no complicated and time-consuming typing of any data), and get a good night's sleep.
I reported the message to Gmail, just to avoid some less technically savvy destinatary of the same e-mail from becoming unnecessarily worried, and within minutes Google moved it to the spam folder of anybody who received it. Google also deleted the e-mail account of the sender of this spam.
The only risk to your money comes if you contact the sender of this (or similar) e-mail in order to clear up the "misunderstanding". Likely they will ask you plenty of personal details in order to "refund the transaction", and should you be so naive as to give them your bank account and/or credit card details (which they do not have but they need in order to steal your money), then they may be able to attempt a withdrawal from your account or to use your credit card details for an online fraud, e.g. using it to pay a mail order or online service. They can succeed only if you voluntarily give them the information they need, not otherwise.
A fake Paypal invoice
The idea behind this example is the same as the preceding example. They send you by e-mail a fake Paypal invoice that thanks you for spending a large amount of money to buy an unspecified "whatever". The purpose of this scam is to make you contact this non-existing company, give to them the data of your bank account, credit card, etc. for you to "get a refund" (of course, once they have this data, they will take your money instead, or use your data for additional felonies, possibly causing the police to investigate you as an accessory to crime).
The first giveaway is that nothing says what you have purchased. The Quantity field in the invoice says "0.012 BTC", which seems to indicate a purchase of Bitcoin. Paypal does not sell Bitcoin.
The second giveaway is the awkward grammar and lack of punctuation (e.g., one does not say "the purchased has been sent").
The third giveaway is that the fake invoice does not identify you or your Paypal account in any way. The invoice is just a mass-mailing.
The fourth giveaway is that this message does not come from a Paypal e-mail address, but from gaviriajosefa209@gmail.com. Paypal does not send official e-mail from a private Gmail address. For what is worth, Gaviria is an originally Basque family name, at present frequent in Colombia. The sender did make a simple attempt to conceal his address by writing "Thank You#6331258704" in the name field. In many e-mail clients, hovering with the mouse over this field displays the address.
A further, important giveaway is that Paypal will immediately send you an official e-mail notification (sent to the address you used to register on Paypal) whenever you make a transaction, including a payment. If you received no such official notification, almost certainly no payment has been sent from your Paypal account.
The 1-803 area code of the phone number in the invoice does not mean that there is a North Carolina company at that number (don't ever call it!). In fact, anyone in the world can easily buy a virtual 1-803 phone number (or almost any area code in almost any country), for example from this company.
As long as you simply ignore this invoice, you and your money are safe. If you do happen to have a Paypal account, for your own peace of mind just log in to your account (on the real paypal.com web site), verify that no such transaction has been made on your account, and have a good night's sleep (or whatever else you like to do).
An additional layer of security, specific to Paypal, banks and other payment sites, is to use for login to these services an e-mail address that you do not use for any other purpose. In this way, if you should receive an invoice purporting to be from Paypal or another payment service, check first of all to which of your e-mail addresses it has been sent. If it has been sent to one of your publicly known, general-purpose e-mail addresses, with high probability it does not come from any of these payment services, and may very well be a phishing/fraud attempt.