Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Bogus Alerts Target PayPal Users

Bogus Alerts Target PayPal Users

by Nikola Strahija on February 17th, 2003 PayPal users are under attack by an increasingly sophisticated series of e-mail worms. Since the beginning of the year, at least four e-mail messages disguised as security upgrade announcements from the financial service have hit users' inboxes.


While some of the virus-bearing messages are riddled with typos and are relatively easy to spot as frauds, most use perfect grammar. All the recent attacks include links to legitimate PayPal URLs instead of to phony sites.

Past PayPal user attacks have featured links to sites like paypai.com and paypalsys.com -- virtual mirror images used to harvest PayPal users' personal data.

Instead, the new e-mails require the recipient to launch an attached executable or Visual Basic script (.vbs) file.

The most recent mailing, sent Feb. 10 was full of spelling errors. With the subject line "PayPal Account Manager," it read: "PayPal has just finish our lastest breakthrough in customer server. The PayPal Account Manager. With this program, you can now have LIVE 24/7 support with aPayPal Tech Support Operator. We hope this increases your PayPal experience."

Attached to the message was a compressed file called AccountManager.zip, which contained an executable file that installed a program to surreptitiously intercept and log keystrokes on the user's computer (in order to steal passwords and other confidential information).

Symantec Security Response spent the last two days analyzing the file, but has yet to decrypt information about where the logged data is sent.

The typos easily expose the February message as a fraud, but a Jan. 30 message with the subject line "PayPal Security Update" was grammatically correct.

It purported to alert users that they must install an Internet Explorer patch -- and that if they didn't, they'd be locked out of their PayPal accounts. The attached script, FraudBreaker.vbs, installed various backdoor Trojan horses, including Avkiller.Trojan and Backdoor.OptixPro.

According to Symantec, these Trojans provide unauthorized access to an infected computer by changing security settings and attempting to disable antivirus and firewall programs. PayPal user Cathie Leavitt, who launched the script, also said it caused "very long hangs and crashes" on her computer.

Updated versions of Norton AntiVirus will detect these attacks, but only after they are decompressed or when they run. Leavitt said Yahoo's built-in antivirus program did not detect the file as malicious.

Although it's uncertain how the attackers are collecting e-mail addresses, it's likely they are being pulled from PayPal's directory of sellers who use the service to process payments.

Lawrence Baldwin, president of Internet security firm myNetWatchman, said the latest wave of attacks is impressive in terms of the sophistication.

"Every link is a valid, bona fide PayPal link," he said, which is designed to make the user feel confident the message is legit. Only sophisticated header analysis would give away the fact that the message doesn't come from PayPal.

John Synesiou, chairman of anti-spam software company HelpMeSoft, tracked the message to Web host RackShack.net, but because of forged headers he couldn't confirm the true origin of the message without viewing RackShack's server logs.

A RackShack customer service agent said when contacted that any messages violating RackShack's acceptable use policy should be forwarded, with headers, to [email protected]

PayPal spokesman Kevin Pursglove bemoaned the latest wave of attacks, and offered advice to those affected: "In these phantom e-mails, the attempt is to induce the user to follow these instructions. Don't do it! Don't use the software and don't follow the links in the e-mail. (Only) go to PayPal by entering the site's URL directly in the browser."

As for future defenses, Pursglove said PayPal, which is owned by eBay, is considering posting such security information on eBay's announcement board. Suspicious PayPal messages can also be forwarded to [email protected]

- article available at http://www.wired.com -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »