PayPal Phishers Turn to E-mail Viruses

The PayPal ‘phishing’ scourge is wearing a new mask.

Security experts warn that a new variant of the MiMail e-mail virus is fast spreading through inboxes worldwide, trying to dupe PayPal users into giving up credit card numbers and other sensitive information.

Internet scammers have been using the high-tech ‘phishing’ tactic to swipe credit card numbers, bank account information, Social Security numbers and user passwords but it’s the first time the technique has been integrated with an e-mail borne virus, according to Sophos security analyst Chris Beltoff.

Beltoff said the detection of an e-mail worm programmed to trick users into giving up sensitive PayPal account information is another signal that Internet scammers are becoming more sophisticated and dangerous.

“It’s the first time I’ve seen someone trying to steal personal information by spreading an e-mail virus. It just shows that the spread of viruses and spam have started to intermingle at a dangerous point. It shows that users need a solution to deal with both problems at the same time,” Beltoff said.

He said the latest ‘phishing’ virus is a variant of the MiMail worm, which first appeared in August this year. When MiMail first appeared, the CERT Coordination Center warned that it was programmed to bypass a known Microsoft vulnerability to spread itself.

Sophos’ Beltoff explained that MiMail was able to bypass certain gateway protection systems because it arrived as a .ZIP attachment. “Because .ZIP files are used for a lot of office activity, admins usually let attachments bypass the gateway,” he explained.

The variant that’s being used to ‘phish’ for PayPal account information comes with a subject line “YOUR PAYPAL.COM ACCOUNT EXPIRES” and loads a .SCR attachment.

Ironically, the e-mail warns users not to sent credit card information via e-mail but, once the attachment is opened, a PayPal-branded dialog box appears and attempts to collect a user’s PayPal account information.

The dialog box requests the user to enter a range of information about their credit card, including full credit card number, PIN, expiration date, and even the CVV code — the three-digit personal security code printed on the back of cards.

The worm has also been programmed to search for e-mail addresses on an infected system and mail itself to every address it finds.

According to Beltoff, the success of ‘phishing’ through the spread of viruses highlights a lack of education among end-users. “It is surprising that people would fall for these scams in this day and age. It just shows there is a need for some serious education about what to do when these e-mails arrive,” he said.

“It is important to get people to understand that the warning signs must go up for all attachments, regardless of where they’re coming from …The popularity of PayPal could lead to the fast dissemination of this worm. This is a tricky worm that relies on the ignorance of PayPal users to harvest bank card data with a realistic-looking form,” Beltoff added.

Sophos has posted a removal tool to its Web site that will disinfect systems from the MiMail variant.

Adapted from

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.