Spamming Someone from PayPal

Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But it's a legitimate e-mail from PayPal, so it evades many of the traditional spam filters.

Presumably it doesn't cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole soon.

Posted on January 15, 2016 at 6:45 AM • 18 Comments

Comments

Mike ScottJanuary 15, 2016 7:59 AM

Paypal can stop people from sending invoices for $0 with a spam payload in the text field, because there's no legitimate use for a $0 invoice. But it's harder to see how they would stop people from sending invoices for $1 with a spam payload in the text field.

JBJanuary 15, 2016 8:48 AM

Good point. Since the goal of the spam is not to receive money, the invoice amount is irrelevant to the spammer. They'd just need to add a line to the bot script specifying an invoice amount.

DavidJanuary 15, 2016 8:55 AM

There is a legitimate use for a $0 invoice. It can serve to indicate that a bill has been paid and received and that the outstanding balance is now $0.

So you have to be a little more sophisticated than just unconditionally stopping all $0 invoices.

Andrew ConwayJanuary 15, 2016 9:09 AM

Cloudmark is detecting this spam. It's not high volume for spam, we've seen it less than 10,000 times in the few billion messages that pass through our spam filters every day. We're currently filtering it based on the content of the message. In December the same company was sending out spam looking for distributors:
===============================================
Hello, dear sir/madam.

Our online shop Ja Boo Computers => skrylcomputers. com is looking for distributors of our cheap and quality electronics, laptops, smartphones, smart watches and other electronics.

We can bid the best prices as we order all products directly from Hong Kong's factories.

We have direct contracts with local authorities and companies what lets us receive the most desirable price.

Our cooperation with the China Post lets us economize on shipping up to 10% of the total price of each product and deliver any of our item within 3 business weeks.

Any of our products can be ordered online and payed securely with Pay Pal or Skrill.

If you are interested in cooperation with us on a dropshipping basis and in wholesale prices, please mail us.

Any dropshippers are welcome!

Sign Up process will let you become subscribed to our newsletters & receive 3% discount for all products.

You can reach our international office through the contact form.

We are looking forward to hearing from you!

Thank you

sincerely,

Sales Department

skrylcomputers. com

Jordan Road (Yau Ma Tei) 41, office 131

Hong Kong
===============================================


Gariel GJanuary 15, 2016 9:10 AM

@Mike Scott
There are legit reasons for 0 dollar invoices. A commercial entity allowing another entity to use goods or services for non-commercial use often uses 0 dollar invoices to track and enforce EULAs. Just one example.

There is however, little reason for one account to send large numbers of 0 dollar invoices in a short period of time and the text can be inspected for signs of spam.

WellJanuary 15, 2016 9:30 AM

The real victim is Paypal, because it will soon be more difficult for Paypal's mails to pass all spam filters.

Then, Paypal will start advising people to look for their mail in the spam folders.

As a result, a big chunk of users will start opening their spam folder more often.

The real winners, the spammers, will therefore see an increase of the click rate on their links.

SasparillaJanuary 15, 2016 10:07 AM

Sounds like PayPal needs to shift over to using custom UserID's instead folks e-mails as their identifying / contact name. Interestingly eBay (who owned PayPal until recently) had to do this with their own User ID's previously.

JohnJanuary 15, 2016 10:18 AM

Paypal also needs to inform the User that they are being targeted by spammers that have obtained their paypal account names otherwise the end use won't ever know that information has been leaked/sold/stolen etc.

RondaJanuary 15, 2016 1:46 PM

Paypal also displays the recipient's home email (not the business email they want you to have) in the CGI string when you pay an invoice.

stevenJanuary 15, 2016 2:59 PM

For fun, PayPal should charge say, $0.0001 deposit on sending an invoice (perhaps reimbursed upon receiving payment) just to see how much spammers are willing to pay, per email sent.

Allan EwingJanuary 15, 2016 10:08 PM

@Mike Scott: "there's no legitimate use for a $0 invoice". Strongly agree with you. Sending zero invoices generally speaking is forbidden. It either is a proforma or no invoice at all. All those people stating that there are legit reasons for zero invoices should be forced to perform an internal audit of an invoice / credit note listing that contains several hundred zero invoices!

EvanJanuary 15, 2016 11:01 PM

@David, others:

Don't you need an email address to send a Paypal invoice anyway? If you need to send someone an acknowledgement of payment or something, and you have their email, you can just send a regular email instead of using Paypal, can't you? The point seems to be that people open Paypal emails, which is what makes $0 invoice spamming attractive.

Jeffrey DeutschJanuary 17, 2016 9:27 AM

Don't think there's a legitimate reason to send $0 invoices? Tell that to my credit card companies, which routinely send me such after I pay my balance in full. These invoices are really receipts that help everyone keep better records.

It's not like we don't have better targeted safeguards. Like limits on how many can be sent in a short period and scans for certain kinds of things commonly used with spam and phishing, just like Gariel G said.

Btw, Gariel, how exactly do the $0 invoices help the seller track and enforce EULAs (when allowing, say, a non-profit to use its services free)?

szigiJanuary 18, 2016 8:31 AM

@Allan Ewing: There are countries outside of the US, with different accounting rules and principles. So saying that a 0 invoice is nonsense, is false.

ianfJanuary 18, 2016 12:23 PM


Tsk, tsk, szigi, go back to your double-, if not triple-digit-banana land, and quit instructing Americans what they shouldn't classify as nonsense. When you've exploded an A-bomb or two, and acquired 2nd strike delivery capability, you can apply for the seat at the big table. Until then you better remember that, in life as in business, only Gringo customs count, and no American legally can be expected to adopt other p.o.v. than such summarized in the iconic 1976 Saul Steinberg's "View of the World from 9th Avenue" New Yorker magazine cover: https://upload.wikimedia.org/wikipedia/en/4/4d/Steinberg_New_Yorker_Cover.png

    Also, for added effect, tattoo these eternal words of LBJ (here paraphrased) on the insides of your eyelids: "when you've got the world by the balls, its mind and heart will follow."

James BJanuary 18, 2016 7:22 PM

It seems like this would not be profitable for spammers. The effort to setup a verified paypal account is pretty big. I would think PayPal would shut them down pretty fast (as soon as they started getting complaints). The number of invoices the spammer could send would be pretty small, I would think so the ROI would be low.

Several strategies PayPal could employ (some already mentioned in other comments):

1. Limit the number of invoices / period (day, hour, etc.) that an account can send.

2. Put very stringent limits (like sending 1 invoice per hour or even per day) on new accounts for the first x period of time and/or until x transactions have been completed on that account.

3. Put slowly deescalating limits on the number of invoices an account can send. Require that some percentage of them get paid or acknowledged before relaxing the limits. E.g. start at 1 per day. After 5 have been paid / acknowledged, increase to 10 per day. After 50 have been acknowledged, increase to 25 per day. Etc.

4. Require random captcha or other Turing test verification based on number of invoices or rate.

5. Create a rating system (similar to what credit card companies use to detect fraud) to identify 'spam-like' activity. Require a independent confirmation upon tripping such limits.

Tony H.January 18, 2016 7:32 PM

Surely the spammy invoices are for $0 because if they issued them for say $1, and someone paid one, thet's pretty clear evidence for a fraud prosecution. Sure, the police don't generally have time or motive to chase $1 frauds, but I'll bet there's a lot more chance of prosecution if you send out a million false $1 invoices than a million $0 ones.

TabsJanuary 19, 2016 12:11 AM

I got a few of these. Seems they are trying to get clicks. I'm guessing they have ads on their site or something. Paypal needs to wake-up to a single person sending mass invoices for $0.00. Maybe we should spam back.

catholicwork@hotmail.com

Matew Megason sent you an invoice for $0.00 USD.

Note from Matew Megason
Good day, become our family memeber, shop cheap electronics online with us. Please, do not hesitate to visit our online store & subscribe. skrylcomputers.com

Cheap, quality and brand new electronics. Good prices & 3% discount. Cheap electronics.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.