Fake PayPal payment notification leads to malware

PayPal might have passed the torch of the most phished brand to China’s Taobao.com, but that doesn’t mean that phishers and other scammers have stopped delivering emails supposedly sent by the e-commerce giant.

A new spam campaign misusing PayPal’s name and bearing the panic-inducing subject line of “FW: You just sent a payment to [random name]” has been spotted yesterday:

“The criminals believe (and from what we’ve seen, correctly) that when presented with the news that you just sent $100 to someone from your Paypal account, you will have a panic reaction and click on the link in the email. This is what they are counting on,” says Gary Warner.

All the links offered in the email are designed to make the recipients land on a website hosting two javascripts that redirect them to another site hosting an exploit kit.

While the users are reassured by the “Please wait page is loading-¦” sign, the exploit kit drops a Java file that takes advantage of a vulnerability and drops and installs an executable on the targets’ computer.

Initially, only five of the AV solutions used by VirusTotal detected the executable as malware, but the number has now jumped to 17.

It is still unknown what kind of malware it actually is because the different solutions detect it as the Zeus Trojan, a backdoor or a dropper Trojan, but you can be sure it is not good news.

This spam campaign has only started yesterday, but is practically a copy of an earlier one misusing the LinkedIn brand and posing as a notification reminder.

More about

Don't miss