Chthonic banking Trojan spread by PayPal accounts
Criminals are using PayPal's money request notification emails to send the malware
PayPal emails have been spreading the Chthonic banking Trojan, research by Proofpoint has discovered.
Proofpoint uncovered emails with the PayPal "You've got a money request" subject line were being used by criminals to distribute the malware. However, rather than using fake emails that appear to be genuine, it seems the emails were sent using PayPal-registered accounts.
The criminals were able to send emails to other PayPal users via the money sending service, adding the malicious link in the personalised message.
The content of the email message explains that the victim's PayPal account has been used to defraud another PayPal user. However, the other PayPal user is actually the criminal, asking for a refund of the monies. Not only might the victim send a payment of the specified amount to the criminal, but they may also click on a malicious link in the same email, which claims to link through to evidence of the fraudulent transaction.
What is concerning, Proofpoint explained, is that mail providers including Google failed to block the email, despite it obviously including a malicious link.
"Although the scale of this campaign appeared to be relatively small (this particular example was only detected through one of our spamtraps; as of the writing of this blog, the malicious link has only been clicked 27 times according to Google Analytics for the URL shortener), the technique is both interesting and troubling," Proofpoint said in a blog post.
"For users without anti-malware services that can detect compromised links in emails and/or phone homes to a C&C, the potential impact is high. At the same time, the combined social engineering approach of requesting money via PayPal from what appears to be a legitimate source creates additional risk for untrained or inattentive recipients, even if they are not infected with the malicious payload."
In a statement, PayPal said: "Security is a top priority for our company. Based on information we received regarding a possible way to use our request money feature to send spoof or phishing emails, we put additional security protocols in place to safeguard our customers. These protocols recently identified some anomalous usage of this feature and we are aware that attempts were made to use the request money feature to distribute malware to a small number of our customers.
"We have put measures in place in an effort to prevent the misuse of this feature. We are continuing to carefully monitor the situation and will reach out to any impacted customers."
This story was originally published on 28 July 2016 and has since been updated to include comments from PayPal
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now