Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware


By Dancho Danchev

Cybercriminals are currently spamvertising millions of emails impersonating PayPal, in an attempt to trick PayPal users into executing the malicious attachment found in the emails.

Using ‘Notification of payment received‘ subjects, the campaign is relying on the end user’s gullibility in an attempt to infect them with malware. Once executed, it grants a malicious attacker complete control over the victim’s PC.

More details:

Sample screenshot of the spamvertised email:

The malware has a MD5: 9c2f2cabf00bde87de47405b80ef83c1 – detected by 33 out of 42 antivirus scanners as Backdoor.Win32.Androm.fm; Worm:Win32/Gamarue

This isn’t the first time that we’ve profiled PayPal themed malicious campaigns. Go through the following posts to catch up with some of our research regarding related campaigns:

Webroot SecureAnywhere users are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

5 thoughts on “Cybercriminals spamvertise PayPay themed ‘Notification of payment received’ emails, serve malware

  1. Pingback: Fake notifications from PayPal contain Trojan « MALWARELIST INFORMATION ABOUT VIRUSES

  2. When you say, Webroot users are protected from this treat, how do you mean? I don’t see email spam filter or protection in the Webroot SecureAnywhere Complete platform, and can’t locate where you offer antispam protection. Please advise, most of the Webroot threat blogs write about spam email but I can’t find it in my Webroot interface!

    • Thanks for the question, it’s a relevant one.

      When I say that Webroot users are protected from these threats I have multiple things on the mind. For instance:

      – on the majority of occasions the malware samples dropped in these campaigns following a successful exploitation of a client-site vulnerability, are detected as already being a part of a malware family known and detected by Webroot SecureAnywhere Complete.

      – Webroot’s built-in anti-client-side exploitation often prevents the actual client-side exploitation to take place on the affected host.

      – Webroot’s built-in behavior-detection technology proactively detects the malicious intentions of the dropped executables, and prevents them from modifying and accessing critical system resources upon execution, thereby minimizing their impact on the operating system even if the user gets socially engineered to run these executables.

      Hope this clarifies the “protected by Webroot” line.

      Best,
      Dancho

  3. Pingback: PayPal ‘Notification of payment received’ themed emails serve malware « Webroot Threat Blog – Internet Security Threat Updates from Around the World

  4. Pingback: ‘PayPal Account Modified’ themed emails lead to Black Hole Exploit Kit « Webroot Threat Blog – Internet Security Threat Updates from Around the World

Join the Conversation

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s