Scam of the Week: Malicious PayPal Email

Want to learn how you can educate your end-users on detecting phishing emails? Attend our Security Lunch & Learn on August 25th – Register Here!


Score another one for the bad guys, who have yet again demonstrated their seemingly inexhaustible ability to concoct new methods to exploit legitimate services in order to bypass existing anti-malware defenses and spam traps.

Proofpoint researchers report in a special security advisory that malicious actors are delivering the Chthonic banking trojan (itself a variant of the infamous Zeus trojan) through the Paypal “money request” feature.

Using legitimate (and undoubtedly compromised) Paypal accounts, the bad guys are sending potential victims bogus phishing requests for money through Paypal. In addition to losing a few hundred bucks to imposters, potential victims may also fall victim to the Chthonic banking trojan if they click the embedded link in the email.

So, how did it come to this? Paypal allows users of the “money request” feature/service to include a personalized message. And that enables the bad guys to push malicious links that lead to Chthonic on unsuspecting users. In the example offered by Proofpoint, the malicious link takes the form of a goo.gl shortener link, which then redirects to a malicious domain controlled by the bad guys.

If there is any good news to be had from this situation, it’s that this malware campaign still appears to be low volume. In other words, the bad guys haven’t yet figured out how to automate this campaign. Also, the embedded malicious link is not being hidden behind a Paypal redirect URL, which would make the bait appear even more legitimate than it already does.

So, remember to always Think Before You Click, even if the email gives every appearance of coming from legitimate, trusted sources.

Want to learn how you can educate your end-users on phishing emails? Attend our Security Lunch & Learn on August 25th – Register Here!


A special thanks to KnowBe4 for helping to keep users secure.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s