This website uses cookies to ensure you get the best experience on our website. More info. Accept Reject

Be careful what you click on! - Paypal Trojan demands money

Paypal trojan news image

Trojans, viruses, worms and all kinds of malicious malware can grab us at anytime when we're using the internet.  We might not be able to totally escape them, but we can be aware of what to look out for and ensure we know what to do when we're suspicious of an email or link we receive.  If you're an NCI ProSupport or security service customer you do benefit from advanced protection however, it's still good practise to know what to look out for, especially as the hackers sometimes find new ways through.  Read below for details.

Scam Alert Sub-header 1

Recently, hackers have engineered Paypal's own emails to spread the Chthonic trojan a new variant of the infamous Zeus banking trojan.  These emails are not just fake versions of a genuine looking Paypal email, but have been cleverly sent directly from Paypal-registered accounts a legitimate source.  It is suggested that hackers have either created Paypal accounts or hacked into the system to generate them so the emails to the end-user are actually from Paypal.  This, of course, makes it harder to spot!

The email itself, cleverly utilises Paypals feature that allows users to request money from other users.  In this case, the email suggests that your account has fraudulently taken money from another user and asks that you make a refund.  Evidence is provided to support this claim by way of a link.  Do not click the link!

PayPal users clicking the link will be redirected to a malicious site which then downloads a seemingly genuine javascript file from PayPal called: paypalTransactionDetails.jpeg.js and if this is opened it downloads another executable file which contains the Trojan.

This has been detected and reported by Proofpoint Analysts who 'recently noticed an interesting abuse of legitimate service in order to deliver malicious content'.  PayPal have stated: "We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."

Scam Alert Sub-header 2

The email will look like a genuine Paypal email. It is likely to include the following in its subject line:

"You've got a money request"

It's content will explain that the victims Paypal account has been used to defraud another PayPal user and will ask that you authorise a refund.  The difficulty here is that it all looks genuine through Paypals own features.  The key tell-tale sign could well be the link to 'evidence' in support of the claim! But, if the file is downloaded you would still have to click this to release the Trojan so you have two potential stop points.

Basically, before you transfer or refund any money check with Paypal and DO NOT CLICK ANY LINKS or FILES.

Scam Alert Sub-header 3

1. Report the email to Paypal - take a screen shot and send them the evidence. 

2. Do not click the links

3. Delete the email

4. If the malicious Trojan has been released, your anti-virus software should detect and either quarantine or delete it.  If, for any reason your security solution can't detect the Trojan or there are problems dealing with it, then please get in touch with your IT provider. 

Scam Alert Contact Information 2

Read about our IT Security protection for your business and the various packages and support available.

Scam Alert Sub-header 4

NCI customers are protected if you have a ProSupport Contract in place.   This service includes a managed security service with anti-virus and web filtering for advanced protection:

Our Webroot security software will:

1. Alert NCI and the end-user that the user has been re-routed to a malicious site

2. Filter potentially harmful attachments in email

3. Block and disable macro execution to prevent the file from opening without being clicked

4. Detect and block any malicious malware via the advance anti-virus protection

However, it is good advice to report any suspicious emails and NOT OPEN ANY FILES OR CLICK LINKS from an unknown source or any that appear to be irregular activity from a more trusted service like PayPal.

If you're concerned, please raise a ticket and contact our helpdesk.

References:

Chthonic Banking Trojan spread by Paypal Accounts, by Clare Hopping, IT Pro, Dennis Publishing Limited, 29th Jul, 2016.

Chthonic Banking Trojan distributed by legitimate Paypal emails, by Catalin Cimpany, MSP Portal Partner News, 26th July 2016.

BACK

Share

Comments

Leave a comment below