PayPal scamming worm asks for bank details
By Matt Whipp
Posted on 14 Nov 2003 at 15:37
Sophos has alerted users of a new variant of the Mimail virus, which is designed to appear as a PayPal email.
Graham Cluley, senior technology consultant at Sophos, said Mimail variants were not being used by different authors, unlike the various authors of the Blaster virus. 'We believe the Mimail viruses were written by the same person, or group of people. Just as one of the previous versions attacked anti-spam websites - leading you to believe that these might be spammers themselves - this is another criminal activity to make money.'
Mimail-I arrives as an email with the subject line: 'YOUR PAYPAL.COM ACCOUNT EXPIRES' and the attachment 'www.paypal.com.scr',
The text of the email warns that your PayPal account will shortly expire because of 'a new security policy' and requests that you renew it by running the attachment. The attachment opens a series of dialog boxes that ask you for information including full credit card number, PIN, expiry date, and even the CVV code (the additional three-digit security code on the back of your card). The dialog boxes include the PayPal logo, to add further credence to the requests.
The information is then sent off to the author. Cluley said that he was still awaiting the report on exactly where this information was being sent, but cautioned: 'I assume [the author] is using some kind of email front. It wouldn't make sense to use graham dot cluley at sophos etc.'
The worm copies itself to svchost32.exe and gathers email addresses on the infected computer in a file called el388.tmp and sends itself on to them. Additionally it makes edits to the Registry so that it is run each time the machine is rebooted.
Cluley warns the worm is already in the wild, with reports coming in from the UK, South Africa, Australia and New Zealand. He said users should make sure their antivirus systems are up to date and, of course, not to indulge in proffering bank details on request. Additionally, corporates should configure their email gateways to block executable attachments. Sophos released virus identities for Mimail-I early this morning, he said.
For more information, visit the Sophos website.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
