Chthonic banking Trojan spread by PayPal accounts

Criminals are using PayPal's money request notification emails to send the malware

fraud

PayPal emails have been spreading the Chthonic banking Trojan, research by Proofpoint has discovered.

Proofpoint uncovered emails with the PayPal "You've got a money request" subject line were being used by criminals to distribute the malware. However, rather than using fake emails that appear to be genuine, it seems the emails were sent using PayPal-registered accounts.

Advertisement - Article continues below

The criminals were able to send emails to other PayPal users via the money sending service, adding the malicious link in the personalised message.

The content of the email message explains that the victim's PayPal account has been used to defraud another PayPal user. However, the other PayPal user is actually the criminal, asking for a refund of the monies. Not only might the victim send a payment of the specified amount to the criminal, but they may also click on a malicious link in the same email, which claims to link through to evidence of the fraudulent transaction.

When a PayPal user clicks on the link, they are redirected to a malicious site, which downloads an obfuscated JavaScript file named paypalTransactionDetails.jpeg.js to the user's system. If this is opened, it downloads an executable file from another site, which contians Chthonic, a variant of the Zeus banking Trojan.

Advertisement
Advertisement - Article continues below

What is concerning, Proofpoint explained, is that mail providers including Google failed to block the email, despite it obviously including a malicious link.

Advertisement - Article continues below

"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.

"For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload."

In a statement, PayPal said: "Security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers.

Advertisement - Article continues below

"We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."

This story was originally published on 28 July 2016 and has since been updated to include comments from PayPal

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020