Spamming through emails is a common technique used among cyber criminals to spread malicious content in order to infect end users. Even though many organizations and home user have applied adequate methods to prevent these methods, cyber criminals never give up and they always look for ways to bypass all controls and appear in your inbox.
Proofpoint analysts found a malware distribution that co-opts PayPal services but in a small size. As it appears, PayPal request money emails have been spreading the Chthonic banking Trojan.
They found and observed emails with the subject “You’ve got a money request” from PayPal. The interesting thing they found is that the sender was not faked. It appears that the emails, with the malicious link, were send through PayPal portal (money sending service) by using Pay-Pal registered accounts and not fake emails.
1: Email delivering malicious content - Proofpoint
The personalized message explains that the victim's PayPal account has been used to defraud another PayPal user but actually that other PayPal user is the criminal; asking for money.
How end users get infected?
Proofpoint underlined in their blog post a concern on their side since mail providers including Google didn’t block the email, even though it carried a malicious link.
"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spam traps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.
Users who don’t have any adequate anti-malware software, installed on their PC or mobile device, that has the power to detect and block these kinds of malicious activities can becomes victims easily and the impact of the attack is not low.
PayPal got informed on this malicious activity and they will take necessary actions.
This is not a first organization that experienced abuse of their service but this kind of situations always remind us on the technique threat actors can use to bypass traditional defences, regardless of the specific provider protection levels.
What we can conclude here is that end users should always put additional layer of security before they engage with any website or any online activity, especially ones that during your interaction include financials transactions.