PayPal is making it too easy for the zero dollar invoice spammers

David bisson
David Bisson

A security researcher has uncovered a new form of PayPal spam: zero dollar invoices that evades the company’s filters and fails to trigger the typical characteristics of a suspicious email.

In a post published on his website last week, Australian security expert Troy Hunt shared an image of a curious PayPal invoice he had received for the mighty sum of… $0.00.

Paypal zero invoice spam

The invoice comes with a note from a “Monika Jackson” that reads as follows:

Sign up to our free newsletter.
Security news, advice, and tips.

“Good day, become our family memeber [sic], buy cheap electronics online with us. Please, do not hesitate to visit our online store & subscribe. [URL removed]. Cheap, quality and brand new electronics. Good prices & 3% discount.”

Hunt goes on to explain how the email originated from [email protected], the mail headers were legitimate, and the “View and Pay Invoice” button linked directly to PayPal’s homepage.

PaypalIn the absence of usual spoof email indicators, the researcher tweeted out the image.

After going back and forth with @AskPayPal, PayPal’s support team asked the researcher asked to contact the company via a direct message, which led to an equally less-than-productive conversation:

@AskPayPal: Please send us a DM so we can discuss further

@troyhunt: Here is a DM!

@AskPayPal: Can you confirm what email address you received the email from?

@troyhunt: Yes, it came from [email protected]

@AskPayPal: Do you have an email address for the person invoicing you $0?

@troyhunt: Yes, the one in the screen grab!

@AskPayPal: There is no email address in the screen grab

@troyhunt: Yes there is, here’s a massively zoomed in pic for you

@AskPayPal: I recommend deleting that tweet, it has your personal info

@troyhunt: It has my email address – I get email by sharing it with people who might want to send me email!

As of this writing, PayPal has yet to address the issue. This silence has in part led Hunt to recommend that the web payment company flag as suspicious any and all accounts that send out multiple $0.00 invoices.

“Without any feedback from PayPal or other evidence to the contrary, it looks like they’re serving as the delivery mechanism for spam which, of course, won’t be flagged as spam because it’s a ‘legitimate’ email from them. The message in the ‘invoice’ is quite clearly just that – spam – and this is almost certainly an abuse of the PayPal invoicing system.”

Whether PayPal ultimately decides to do anything with these spam emails remains to be seen. But there’s nothing preventing customers from trying to move the online payments company in one direction over another.

If you see a $0.00 invoice or other suspicious email from the company, please send it to [email protected]. You’ll be doing all PayPal users a favor.

Update: A PayPal spokesperson has contacted us with the following statement:

“This is not an intended use of one of our merchant services and we are taking steps to prevent this from happening.”

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

5 comments on “PayPal is making it too easy for the zero dollar invoice spammers”

  1. Techno

    I find myself breathing a sigh of relief that at least it isn't delivering a nasty payload. It's quite ingenious, and Paypal can simply suspend their account surely. It also must be a lot of trouble for them, unless they have managed to automate it somehow,

  2. Simon

    Ingenious indeed.

    I'd imagine there be no logical reason to submit a $0.00 invoice and this flaw quashed to begin with. Having said that, I'm no accountant either…

    If this bug is rectified and spammers are keen, they could simply pay $0.01 for every spam email they disguise via PayPal (albeit targeting well-known SMB's or bigger businesses), but they'd have to be pretty desperate… I doubt they'll do this willy nilly.

  3. furriephillips

    How about PayPal's ridiculous SPF record, which allows their domain to be spoofed?

    % host -t TXT | grep spf descriptive text "v=spf1 ~all"

    % host -t TXT | grep spf descriptive text "v=spf1 mx ~all"

    It's like they don't give a toss about their customer's safety.

    Just replace "~all" with "-all", to enforce SPF. It's a no-brainer.

  4. Tech-challenged

    Actual emails from PayPal will Always be addressed to you by name. I get plenty of spam supposedly from PayPal and always forward them to PayPal. Have learned to Never click on links in emails. Instead I click from search links and that is an extra protection since I can't always tell what is spam and what isn't. Haven't gotten this particular email…yet…but will do as I always do and then check my PayPal msgs. Thanx for the warning.

  5. Deb

    I've never had much success with PayPal support either. They always seem to misunderstand what the problem is, or fail to offer any real help. Usually I just receive some standard boilerplate text that doesn't address the root cause of the issue, and doesn't offer any useful advice. The chat transcript that the author published is quite typical of the conversations that I have had as well.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.