Thursday, July 28, 2016

Banking Trojan found in PayPal's money request emails


Spamming through emails is a common technique used among cyber criminals to spread malicious content in order to infect end users. Even though many organizations and home user have applied adequate methods to prevent these methods, cyber criminals never give up and they always look for ways to bypass all controls and appear in your inbox.

Proofpoint analysts found a malware distribution that co-opts PayPal services but in a small size. As it appears, PayPal request money emails have been spreading the Chthonic banking Trojan. 

They found and observed emails with the subject “You’ve got a money request” from PayPal. The interesting thing they found is that the sender was not faked. It appears that the emails, with the malicious link, were send through PayPal portal (money sending service) by using Pay-Pal registered accounts and not fake emails.

1: Email delivering malicious content - Proofpoint


The personalized message explains that the victim's PayPal account has been used to defraud another PayPal user but actually that other PayPal user is the criminal; asking for money.

How end users get infected?

In case the user finds the e-mail as legitimate and clicks on the malicious link, he or she will be immediately redirected to katyaflash[.]com/pp.php, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js. If opened, end user will be infected with Chthonic, a variant of the Zeus banking Trojan.

Proofpoint underlined in their blog post a concern on their side since mail providers including Google didn’t block the email, even though it carried a malicious link.

"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spam traps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.

Users who don’t have any adequate anti-malware software, installed on their PC or mobile device, that has the power to detect and block these kinds of malicious activities can becomes victims easily and the impact of the attack is not low.

PayPal got informed on this malicious activity and they will take necessary actions.
This is not a first organization that experienced abuse of their service but this kind of situations always remind us on the technique threat actors can use to bypass traditional defences, regardless of the specific provider protection levels.

What we can conclude here is that end users should always put additional layer of security before they engage with any website or any online activity, especially ones that during your interaction include financials transactions.




3 comments:

  1. I found that site very usefull and this survey is very cirious, I ' ve never seen a blog that demand a survey for this actions, very curious...
    hong kong shelf companies

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. First, sign up for a PayPal account on PayPal. some human beings have attempted to argue that IP is a trouble. however I emphatically inform them it isn't at all. how to make paypal account in pakistan 2017

    ReplyDelete