Real PayPal Emails Used to Take Funds and Give Malware

August 5, 2016

PayPal is again being used by crafty cyber criminals to trick unsuspecting customers out of their money and to install malware. In this case, an email arrives in the inbox of the victim stating that $100 has mistakenly been sent via the PayPal service and transferred to his bank account. Of course, a link is included and if it’s clicked, a variant of the Zeus malware is set lose. It’s being called the Chthonic Banking Trojan.

The sneaky part of this is in using a legitimate PayPal account and a message directly from PayPal. The message, “You’ve got a money request” won’t likely be detected as spam because it is not a false email. Anyone can create a PayPal account for free and that is what the scammers are doing in this case.

paypalemail

In addition to asking for money, the link redirects to a site that installs the Chthonic Trojan and another module called AZORult. However, it is not yet known what that second one does.

Whenever a message like this is received, especially if it’s asking for money, take a bit of extra time to really examine it. The few extra minutes you take to look closely is not likely going to result in any more damage, even if it is a real email. Regardless of whether or not the link is legitimate, go to your account separately and view any messages in there rather than clicking links. Use the URL that you know is the correct one or via a previously bookmarked link.

Jim Stickley of Stickley on Security found that PayPal appears to have done a partial fix for this. Stickley said “In testing, we have found that PayPal does modify any URL included a message for a PayPal money request. This is done by removing certain characters from the URL to prevent it from functioning properly.” However, he found that a message included in a PayPal invoice request still allows the potentially malicious URL. The link in the email message is indeed clickable. However, he stated that “inside the PayPal account, links are not clickable but can be copied and pasted.”

Therefore, any email sent from PayPal, whether it is a money request or an invoice should be thoroughly scrutinized before any action is taken. The best response is to log into the PayPal account to view request and respond accordingly. You can click to cancel the invoice and send a note stating you would like more information. You can also contact the sender using information you find somewhere that is not from the message or invoice sent to you. Cyber criminals often will put their own contact details in their messages. So look for contact details for the company or person elsewhere. Never hit the reply button in email messages to contact the sender in these cases.

© Copyright 2016 Stickley on Security