I’ve recently got fed up going round and round in circles with PayPal trying to get them to admit that their own emails are not actually phishing scams!
Yes, you read that right. The problem is that PayPal’s own email campaigns encourage users to click on links to domains that look to the suspicious eye like a phishing scam. PayPal’s own spoof detection service identifies these emails as “likely fraudulent” and if you contact PayPal directly, they’ll repeatedly deny all knowledge of the domains in question being their own.
Let’s have a look into this sorry story…
Firstly, here’s the start of a typical example email, sent to me on March 3rd from “PayPal@mail.paypal.co.uk”:
Unlike normal phishing emails, this email addresses me by my full name and is literate. The problem comes if you assess the target domain of the “Log In Now” button. Here’s the tooltip:
Destination address “epl.paypal-communication.com” looks suspiciously like a typical phishing domain. Any security-aware user ought not to click on such a link. I don’t particularly want to be visiting a site that for all I know might be serving up ransomware via an exploit kit!
I had a look online and found discussion at https://www.paypal-community.com/ which included references to this target domain with users asking after it because they were suspicious. Here’s what one user said:
And a third:
And the response from the PayPal moderator? (Details hidden to save the blushes.)
I decided to dig around a bit. A WHOIS on the domain said it is registered to PayPal (via a company called MarkMonitor who protect brands):
Then I looked at the SSL certificate of the domain:
That is an Extended Validation SSL certificate issued by DigiCert to PayPal.
At this point I was sure it had to be legitimate and so contacted PayPal support and told them the story so far. In my message I included the following:
On the assumption that this is indeed genuine, can I suggest that perhaps you ensure that all emails you send with links in, go only to paypal.com or paypal.co.uk?! Otherwise, you’re making it very difficult for users to tell what is legitimate and what is not.
For my trouble I got a standard automated reply with general educational info on phishing emails and the comment, “If we haven’t answered your question, please reply to this email and our team will answer you as soon as possible”.
If they’d bothered to read my email properly they’d have known I had gone beyond that stage. This sort of automated response irrespective of what you’ve said – especially since you have to reply to it to even get a human response – is the ideal way to frustrate your customers!
I also forwarded the email to their spoof detection service (in my case firstname.lastname@example.org). Here’s the reply I got:
Unbelievable! And how indecisive is “likely fraudulent” anyway?! I tested the actual link in the email by running Chrome inside Sandboxie for added safety. It redirected to paypal.com which suggests all is well. Replying to the automated support email, I gave them the newer information and the verdict of their spoof service and asked them to look into it. I got the following response. I’ve just shown the start as you’ll get the idea…
Feeling increasingly exasperated, I emailed back and said that either the domain was legitimately theirs, or DigiCert had issued an EV SSL certificate in their name to a third party, “which would be a major security issue and absolutely catastrophic for their business too!”. I encouraged them to escalate it.
The reply asked for me to forward them the email:
I tried to cut a corner as I’d deleted the email by then:
Please can youi simply clarify whether a link to https://epl.paypal-communication.com is a valid destination address to have in an email from PayPal. There is every sign that it is (the domain appears to be registered to PayPal!) …
The reponse was, shall we say, “frustrating”:
I emailed straight back:
I have not said I received an email saying there is suspicious activity in my account. You too have now said that the email is not from PayPal. In that case, please can you explain why the link it asks me to log in to is at a domain formally registered to PayPal and with a PayPal SSL certificate on it?
Needless to say, every single message was from a different person – no attempt to take ownership of a problem and run with it.
I eventually got a phonecall and was passed from person to person three times. Everyone sounded quite interested in and intrigued by the story and the technical details. I’m sure one of them said they were basically told to deny any domain that did not end paypal.com or paypal.co.uk but he was clearly struggling to deny the domain I was telling him about! I was told I would hear back. I left the phonecall feeling happier that this would be escalated to someone in the know. A few days later I prodded them for an update and told them I’d had another similar email. I finally got a new reply in my PayPal message centre. It took things to a whole new level of ridiculousness:
That last sentence shows how much I’ve been wasting my time. How can they possibly say a subdomain of paypal.co.uk is not theirs? I first decided to prove that that domain could receive email:
As we will see in a minute, the result was quite instructive. If you also do a SmartWHOIS to find who is responsible for the IP block that the epl.paypal-communication.com domain is on, you get the following:
“Epsilon Data Mangement” owns the IP block and judging by the Mail Exchanger record name, runs the mail server and presumably is the explanation for the “epl.” at the start of the main domain name that set this hunt all off. So, who are Epsilon Data Management? Here’s part of what their website says they do:
This all sounds very like the sort of emails that contain these links!
I’d sent one more email to PayPal which included this rebuttal to their latest claim:
I’ve confirmed that there is a DNS MX Record for domain “mail.paypal.co.uk” which shows it is a legitimate domain that can receive email. Also, since it is a child domain of paypal.co.uk, it MUST by definition belong to the same owners as “paypal.co.uk”! So how can you say it does not belong to PayPal?
I got one more message from PayPal before I gave up in disgust:
After some more hunting around the PayPal site, I found one more thing of interest – on PayPal’s “List of Third Parties (other than PayPal Customers) with Whom Personal Information May be Shared” page:
Quote: “To execute outbound communciation campaigns including but not limited to email and push notifications.”
The story doesn’t end here. I tried taking it to Twitter and sending Direct Messages to @AskPayPal (PayPal Support). I gave a very brief version of the case and at their request sent a screenshot of one of the emails – with the tooltip link visible. I also sent a screenshot of the SSL certificate. I got a much more positive response:
I provided some more info, including about Epsilon. I got another reply:
And the next reponse, which unfortuantely was from someone else?
I managed not to die of frustration when told to forward it to the spoof service again. But then, there was final bit of acceptance:
And that’s where it ends. …
And this is a company I’m entrusting with access to my money? The left hand doesn’t seem to know what the right hand is doing – in fact, it just denies all knowledge of its existence despite all evidence to the contrary. That coupled with the generally poor support experience leaves me … shall we say … “not overly-enamoured” of PayPal now.
The Twitter chat had closed with the following.
I couldn’t bring myself to click on it…
Update – June 2017
The last couple of emails I’ve received from PayPal have still contained the same domain in the Login links but at least their Spoof service is no longer reporting them as being likely fraudulent. Their current educational information about spotting phishing attacks encourages you to see if they address you by name. I’ve received plenty of phishing emails that know my full name and one piece of spam knew my full postal address too..! Their educational info also lists various things their emails won’t ask you to do or type in. They do also encourage you to login directly via their site but it would be far better if they included no login button in their mass emails at all!