Friday, November 26, 2021

How did this PayPal spoof email pass SPF, DKIM and DMARC

This mail that got through has me stumped. It appeared to me as being from PayPal <unclaimedproperty@paypal.com> in my Inbox. I happened to look at the original and it says SPF, DKIM and DMARC all passed.

If I'm reading this right, 74.112.67.243 connected to mail2550.paypal-notification.com and sent the mail. They used a Return-Path: <blahblah@bounce.paypal.mkt2944.com>.

bounce.paypal.mkt2944.com (currently) has a SPF record of v=spf1 a ip4:208.85.50.137 ip4:74.112.67.243 -all. So OK, they setup a spam mailer and worked it so SPF passes (the mail server paypal-notification.com is gone, seemingly owned by MarkMonitor now, so somebody else noticed this).

But then the DKIM signature has

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe;

Is this not saying "I'm signing all these headers with the key who's public portion is in a TXT record at spop1024._domainkey.paypal.com" (which exists)?

This passes, to my surprise

Authentication-Results: mx.google.com;
       dkim=pass

I've looked over and over to see if it's a close-cousin typo thing, or unicode address, etc. But it really seems to be signed by that paypal.com key...?

After that, it's still unclear to me why DMARC then passes -- I thought the From: address had to be "aligned" with the Return-Path:?

Delivered-To: <me@gmail.com>
Received: by 2002:a4a:804a:0:0:0:0:0 with SMTP id y10csp7519296oof;
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyxHoL8oksdcw38NnmHlTdPo1UfJoTCZ/wFDToSgMfRPG6WgHlKDtKbSjMXNh5t44nHazym
X-Received: by 2002:a25:4543:: with SMTP id s64mr27510605yba.304.1637613916462;
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1637613916; cv=none;
        d=google.com; s=arc-20160816;
        b=OvsnJASmnJT63M3MSQlcKCnmxHpmorUbQJk3lIVXRyjM6CXvrRuJ2J1TDvDEOlt3lu
         EzKQHgL++dswppXvJFLxkPxHq8cwPy4JBpvYmk1y1kqcuAE+tB2UJjjm+g2Fv1akRO9N
         iie60J6CAhOYz+6w/1bnJ7K0AIVdy9OKVTt1KECqGLzrB7/HFtPZ5i/BFObcP9tC53Ok
         ULyOlVLCM+iLNvmS9xFfz1YAzR+TDj5/OKUxdT0N96Ut+sVScBF2heLQvceZPv5nw9j0
         VCQjSS/e38koGlh+14We/6o74OHuGkF+pwgaRwfiW3hZtOx0echGxgMUMKB+E+bpV0JB
         PvhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:mime-version:subject:message-id:to:reply-to:from
         :date:dkim-signature;
        bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=;
        b=AndF29ToqFkXaC88xiijwW2WKaK/3o+FURvx6HVtLghatUDEyVEr4VymEzez9Ijtrf
         Jogh9LH/sqLdrLTBN3oVgNoQlGUrf131M5aK5wrf18hCk54LrIHW1v1BA8Gsl4cO7PZ2
         I+kgLQJY+85mIA1L/NZXKvViNlehHXTjwQCHtnfcdWCuIbrb7OTpDu3SW1kFQ+Wjy6Xt
         Jnm/LXZyT6bexBCXJsISEywM8EwuyD7uz0Rm7O+Pw+AU1pYVt2qArFk2hRHiXeTrB57I
         Yp6n2JM79y420UIVv9o/oPJloQcFdnp45sDxv85tr6DhZpvHlH3v3o3doiy2kC6vaBQU
         aXkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
       spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>
Received: from mail2550.paypal-notification.com ([74.112.67.243])
        by mx.google.com with ESMTPS id n184si7359975ybn.210.2021.11.22.12.45.16
        for <me@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 22 Nov 2021 12:45:16 -0800 (PST)
Received-SPF: pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) client-ip=74.112.67.243;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paypal.com header.s=spop1024 header.b=NSAupQiY;
       spf=pass (google.com: domain of v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com designates 74.112.67.243 as permitted sender) smtp.mailfrom=v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=spop1024; d=paypal.com; h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type: X-CSA-Complaints:List-Unsubscribe; i=unclaimedproperty@paypal.com; bh=CXo6gpd99q61PdtNQYL0HweNp45DQK9gDadq1QHszOQ=; b=NSAupQiYb884cGVqugiXkhz/FlcoddCqXJLcD+gwE2xFNP+27ZRQFCGOL61uEai1EdgqXLS0FKSV
   1ttmHVRu1H/So/7kxAm93NuGJGDe0K5/t9LK3QQF1bTQv7OHjBOi3FhmFvhSs1roN2q4r+8FxhmR
   HBqxI9Sbw63gjSDL7C8=
Received: by mail2550.paypal-notification.com id hjg0lo2r7aoj for <me@gmail.com>; Mon, 22 Nov 2021 20:37:22 +0000 (envelope-from <v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com>)
Date: Mon, 22 Nov 2021 20:37:22 +0000 (GMT)
From: PayPal <unclaimedproperty@paypal.com>
Reply-To: unclaimedproperty@paypal.com
To: me@gmail.com
Message-ID: <432115452.269147071637613442797.JavaMail.app@rbg41.atlis1>
Subject: Notice of Unclaimed PayPal Funds
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1300052_1672151020.1637613438245"
x-mid: 70903810
X-CSA-Complaints: csa-complaints@eco.de
x-rpcampaign: sp70903810
x-job: 70903810
x-orgId: 35487
List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...>, <mailto:v-edjoiac_ibeieokafk_iekbmfgb_iekbmfgb_a@bounce.paypal.mkt2944.com?subject=Unsubscribe>

Am I missing something obvious?!

update

It really does seem to pass DKIM.

$ opendkim-testmsg < Notice\ of\ Unclaimed\ PayPal\ Funds.eml
$ echo $?
0

update 2

Almost definitely a compromise of/via Acoustic, which was apparently once called "silverpop"

We're 10-year Acoustic Campaign veterans - original beta testers and daily users of the marketing automation tool for the last decade, since it was called Silverpop and then IBM Watson Campaign Automation.

The DKIM key -- spop1024._domainkey.paypal.com, from googling, refers to "silverpop 1024" (here's Wikimedia getting rid of it https://phabricator.wikimedia.org/T214525). This is a legitimate key, but old. The classic "it's an older code, Sir, but it checks out" attack with a forgotten host, maybe?

74.112.67.243 is owned by "acoustic.co". It sent the message and signed it. Not sure where the mail2550.paypal-notification.com bit comes from, it's now owned by MarkMonitor.

Also, the List-Unsubscribe: <http://links.paypal.mkt2944.com/luoo/v1/...> link seems legitimate. http://links.paypal.mkt2944.com still has some landing page branded with silverpop. This suggests to me the service actually "constructed" this mail, rather than say an plain open-relay situation.

As noted below, this does not include any obvious phishing login links. The idea must be that you log into your account legitimately, and can't find your "unclaimed funds" and call the phone number at the bottom of the email with your "client id".

This PayPal account is actually closed, but was registered in California when I lived there (this fact, and that it made it into my inbox, was what got me looking at it closely). "Send this message to old accounts in California" seems like the type of thing this Acoustic marketing mail stuff does, so maybe that is related.

Dastardly ... I wonder how many hits they got from this ...



from Hacker News https://ift.tt/3nUIDmj
Posted by at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)