WATPA: FW: PayPal Phishers Turn to E-mail Viruses

From: Norm Jacknis <norm@jacknis.com>
Date: Fri Nov 14 2003 - 22:28:39 EST

I don't normally post warnings about viruses or scams; there are so many of
them. But this is a particularly insidious scam, very likely to fool the
average PayPal user.

I've appended one of many articles about the subject, this one from


PayPal Phishers Turn to E-mail Viruses
By Ryan Naraine <mailto:rnaraine@jupitermedia.com>
November 14, 2003

The PayPal 'phishing' scourge is wearing a new mask.
Security experts on Friday warned that a new variant of the MiMail e-mail
virus is fast spreading through inboxes worldwide, trying to dupe PayPal
users into giving up credit card numbers and other sensitive information.
Internet scammers have been using the high-tech 'phishing' tactic to swipe
credit card numbers <http://www.internetnews.com/IAR/article.php/3075041>,
bank account information, Social Security numbers and user passwords but
it's the first time the technique has been integrated with an e-mail borne
virus, according to Sophos security analyst Chris Beltoff.
Beltoff told internetnews.com the detection of an e-mail worm programmed to
trick users into giving up sensitive PayPal account information is another
signal that Internet scammers are becoming more sophisticated and dangerous.
"It's the first time I've seen someone trying to steal personal information
by spreading an e-mail virus. It just shows that the spread of viruses and
spam have started to intermingle at a dangerous point. It shows that users
need a solution to deal with both problems at the same time," Beltoff said.
He said the latest 'phishing' virus is a variant of the MiMail worm
<http://www.cert.org/incident_notes/IN-2003-02.html> which first appeared in
August this year. When MiMail first appeared, the CERT Coordination Center
warned that it was programmed to bypass a known Microsoft vulnerability to
spread itself.
Sophos' Beltoff explained that MiMail was able to bypass certain gateway
protection systems because it arrived as a .ZIP attachment. "Because .ZIP
files are used for a lot of office activity, admins usually let attachments
bypass the gateway," he explained.
The variant that's being used to 'phish' for PayPal account information
comes with a subject line "YOUR PAYPAL.COM ACCOUNT EXPIRES" and loads a .SCR
Ironically, the e-mail warns users not to sent credit card information via
e-mail but, once the attachment is opened, a PayPal-branded dialog box
appears and attempts to collect a user's PayPal account information.
The dialog box requests the user to enter a range of information about their
credit card, including full credit card number, PIN, expiration date, and
even the CVV code -- the three-digit personal security code printed on the
back of cards.
The worm has also been programmed to search for e-mail addresses on an
infected system and mail itself to every address it finds.
According to Beltoff, the success of 'phishing' through the spread of
viruses highlights a lack of education among end-users. "It is surprising
that people would fall for these scams in this day and age. It just shows
there is a need for some serious education about what to do when these
e-mails arrive," he said.
"It is important to get people to understand that the warning signs must go
up for all attachments, regardless of where they're coming from...The
popularity of PayPal could lead to the fast dissemination of this worm. This
is a tricky worm that relies on the ignorance of PayPal users to harvest
bank card data with a realistic-looking form," Beltoff added.
Sophos has posted a removal tool to its Web site that will disinfect systems
from the MiMail variant.
Received on Fri Nov 14 22:28:19 2003

This archive was generated by hypermail 2.1.8 : Sat Nov 15 2003 - 23:55:03 EST