PayPal malware social engineering

I instantly got very suspicious when I received this from PayPal today:

Hello [my name here],

Colin Neal would like to be paid through PayPal.

Note from Colin Neal: Good afternoon. There was a pay of 200$ from my wallet on your wallet , as if I bought smth from you on Ebay. But I didn’t do this. It must be a mistake. Write me on kcsystems1@gmail,com i’ll send you the copy of invoice. Sorry to disturb you.

Details

Request Date: November 29, 2016
Requested Amount: $200.00 USD
Your Email Address: [my PayPal email address]

Click the button below to send Colin Neal your payment and see the details of this money request.

[ Pay now! ]

Of course I did not click on the “Pay Now!” button, but looking at the email header, the mail was actually sent via PayPal’s mail servers!

I logged into PayPal from scratch on another machine by typing in the PayPal domain name and verified that there was indeed a money request for $200 in my PayPal account. However, it came from a random looking Gmail address, “pvbkrngkjqo@gmail.com” and not the address I was told to contact. Even more suspicious than the first email!

So I fired off an email from another mail account (not my PayPal mail account) to “kcsystems1@gmail.com” and explained that I had not received any funds and that this must be a scam. But as suggested in the initial message, they then sent me a link to an “invoice”:

Good afternoon. This is a copy of invoice.
https://paypal.com/user/files/paypalInvoice_000092419298377.doc

Looking forward your reply. Thanks.

Looking at the actual target of the link, it pointed at a completely different location:

http://myotaku.com.my/system/helper/json/paypalInvoice_000092419298377.doc

When I downloaded it using a secure tool and submitted it to VirusTotal.com, six of the tools consulted detected it as malware:

AVware LooksLike.Macro.Malware.k (v) 20161130
Avast VBA:Downloader-DSH [Trj] 20161130
Fortinet WM/Agent.CBW!tr 20161130
Qihoo-360 virus.office.gen.85 20161130
Symantec W97M.Downloader 20161130
VIPRE LooksLike.Macro.Malware.k (v) 20161130

This scam uses a clever bit of social engineering. The original email comes from a real PayPal server, a trusted source and it doesn’t include any malicious links or attachments.

By getting you to initiate contact with the malware scammer, the subsequent reply with its malicious link will arrive from an email address that you have previously contacted, which will subject that email to less severe filtering. This makes it more likely the malicious link goes through.

Always be alert to how scammers set up mail exchanges where malware will only arrive after several steps specifically designed to defeat filtering. For example, they may contact you first to ask for a quote and then email you what is supposed to be an order, but is really malware.

Vir7remover_2009_b2.exe / defend6-pc.com scareware

While researching some information, I came across a Google hit that looked like what I was looking for, but when I opened the page, none of the text in the preview paragraph was there. Somebody must have fed bogus contents to GoogleBot to attract searches.

Instead of the expected information I found myself on a scareware site called defend6-pc.com that was then trying to coerce me into downloading and installing their fake security software. A pop-up dialog asked me whether I wanted to scan my computer with their software. It didn’t matter if I clicked OK or Cancel, a download would always start. Only by closing the browser Window could I get rid of their nasty popup dialogs.

I’m using Mozilla FireFox, which does not offer to run downloaded EXEs directly. I did not click on the downloaded “Vir7remover_2009_b2.exe”, instead I ran it through the VirusTotal.com online malware scanner (highly recommended!) and products by four companies diagnosed it as malicious or suspicious:

  • Microsoft (1.5605) says it’s a “Trojan:Win32/FakeXPA”
  • Sophos (4.52.0) says it’s “Mal/FakeAV-CX”
  • VBA32 (3.12.12.4) says it’s “BScope.Trojan.MTA.0157”
  • Panda (10.0.2.2) calls it a “”Suspicious file”

“Mal/FakeAV-CX” indicates “scareware“, software that pretends to be an anti-virus / malware scanner that scares you with bogus alerts of malware on your harddisk into installing and or purchasing the software. Such software can include Trojans (as you would suspect from “Trojan:Win32/FakeXPA” and “BScope.Trojan.MTA.0157”) that take over your machine and can give someone else full control over your machine for malicious activities.

The following domains are all hosted on the same server as defend6-pc.com (IP address 93.174.95.154) and this list probably is not complete. I definitely would not recommend installing any software from any of these sites:

  • 10scanantispyware.com
  • 20scanantispyware.com
  • 2scanantispyware.com
  • 30scanantispyware.com
  • 3scanantispyware.com
  • 50virus-scanner.com
  • 5scanantispyware.com
  • 60scanantispyware.com
  • 7scanantispyware.com
  • 80scanantispyware.com
  • 8scanantispyware.com
  • 90virus-scanner.com
  • antispy-scan200.com
  • antispy-scan400.com
  • antispy-scan600.com
  • antispy-scan700.com
  • antispy-scan800.com
  • antispywarehelp002.com
  • antispywarehelp004.com
  • antispywarehelp008.com
  • antispywarehelp010.com
  • antispywarehelp022.com
  • antispywarehelpk0.com
  • antispywarehelpk2.com
  • antispywarehelpk4.com
  • antispywarehelpk6.com
  • antispywarehelpk8.com
  • antivirus-inet01.com
  • antivirus-inet31.com
  • antivirus-inet41.com
  • antivirus-inet51.com
  • antivirus-scan200.com
  • antivirus-scan400.com
  • antivirus-scan600.com
  • antivirus-scan700.com
  • antivirus-scan900.com
  • antivirus-test88.com
  • antivirus10scanner.com
  • antivirus900scanner.com
  • av-scanner200.com
  • av-scanner300.com
  • av-scanner400.com
  • av-scanner500.com
  • av-scanner700.com
  • defend-computer10.com
  • defend-computer30.com
  • defend-computer50.com
  • defend-computer70.com
  • defend-computer82.com
  • defend-computer83.com
  • defend-computer84.com
  • defend-computer85.com
  • defend-computer86.com
  • defend-computer88.com
  • defend-computer90.com
  • defend-pc100.com
  • defend-pc130.com
  • defend-pc150.com
  • defend-pc170.com
  • defend2-pc.com
  • defend5-pc.com
  • defend6-pc.com
  • inetproscan001.com
  • inetproscan031.com
  • inetproscan061.com
  • inetproscan081.com
  • inetproscan091.com
  • insight-scan20.com
  • insight-scan40.com
  • insight-scan60.com
  • insight-scan80.com
  • insight-scan90.com
  • insight-scanner2.com
  • insight-scanner5.com
  • insight-scanner7.com
  • insight-scanner8.com
  • insight-scanner9.com
  • internet-scan020.com
  • internet-scan040.com
  • internet-scan050.com
  • internet-scan070.com
  • internet-scan090.com
  • internet-scanner020.com
  • internet-scanner030.com
  • internet-scanner050.com
  • internet-scanner070.com
  • internet-scanner090.com
  • net-02antivirus.com
  • net-04antivirus.com
  • net-05antivirus.com
  • net-07antivirus.com
  • net001antivirus.com
  • net011antivirus.com
  • net021antivirus.com
  • net111antivirus.com
  • net222antivirus.com
  • novirus-scan00.com
  • novirus-scan01.com
  • novirus-scan22.com
  • novirus-scan31.com
  • novirus-scan33.com
  • novirus-scan41.com
  • novirus-scan55.com
  • novirus-scan61.com
  • novirus-scan81.com
  • novirus-scan88.com
  • spyware-stop01.com
  • spyware-stopb1.com
  • spyware-stopm1.com
  • spyware-stopn1.com
  • spyware-stopz1.com
  • spyware200scan.com
  • spyware500scan.com
  • spyware800scan.com
  • spyware880scan.com
  • spywarescan010.com
  • spywarescan013.com
  • spywarescan015.com
  • spywarescan017.com
  • spywarescan018.com
  • stop-all-virus1.com
  • stop-all-virus3.com
  • stop-all-virus6.com
  • stop-all-virus9.com
  • stop-virus-01a.com
  • stop-virus-01b.com
  • stop-virus-01d.com
  • stop-virus-01e.com
  • stop-virus-01f.com
  • stop-virus-03b.com
  • stop-virus-03u.com
  • stop-virus-03y.com
  • stop-virus-03z.com
  • stop-virus-040.com
  • stop-virus-070.com
  • stop-virus-090.com
  • stop-virus-091.com
  • stop-virus-099.com
  • stopvirus-scan11.com
  • stopvirus-scan13.com
  • stopvirus-scan16.com
  • stopvirus-scan18.com
  • stopvirus-scan33.com
  • stopvirus-scan66.com
  • stopvirus-scan88.com
  • stopvirus-scan99.com
  • virus77scanner.com
  • virus88scanner.com

Beware of fake Kaspersky beta installer emails

Today I received a Trojan email that bears the same handwriting as the recent fake Google Chrome installer emails. Both emails are in German, offer an attached RAR file with what supposedly is an installer for a beta test version of new software from a well-established software company:

Sehr geehrter Nutzer,

heute möchten wir Sie zu unserem Aktuellen Betatest des neuen Kaspersky© 9.5.710 einladen.
Unser neues Produkt besticht durch seine überarbeitete Scanroutine sowie die schnelle und effektive
Aufspürung von Viren, Trojaner und anderer böswilliger Maleware.

Für ihren persönlichen Zugang haben wir ihnen ein Beta Account eingerichtet welchen Sie bei der
Installation angeben müssen, um den Webinstaller sowie das Programm an sich nutzen zu können.

Benutzername: kis_aX9535
Passwort: c3VF5gg8

Diese Daten werden bei der Installation abgefragt. Notieren Sie sich diese Daten bitte genau,
da diese auch für ihren Zugang auf unserer Seite erforderlich sind.

Zum Ende des Betatests bekommen Sie eine Volllizenz und können somit Kaspersky© ein
Jahr kostenlos für ihre Sicherheit nutzen.

Sollten Sie Fragen oder Probleme haben, so schreiben Sie und eine Mail an: beta-team@kaspersky.de

Wir wünschen Ihnen nun viel Spass mit unserem neuem Produkt und hoffen auf eine Positive Wertung
von ihnen auf unserer Website.

Mit freundlichen Grüßen
Ihr Kaspersky Beta Team

Copyright © 1997 – 2008 Kaspersky Lab

Industry Leading Antivirus Software

Message headers:

Received: from mo-p05-ob.rzone.de (mo-p05-ob.rzone.de [81.169.146.182])
by mail.joewein.net (Ogose Mail Daemon) with ESMTP id 818CC10DCC78
for <419@419scam.org>; Sun, 21 Sep 2008 21:43:45 +0000 (UTC)
X-RZG-CLASS-ID: mo05
X-RZG-AUTH: :L2MKYUGrb9+s7Ys+/C6cdNboKaxR22vZQHQdVrAeYnDdBsCFdpW1J0sdHw==
Received: from [77.21.44.13] ([62.159.230.93])
by post.webmailer.de (fruni mo40) (RZmta 17.4)
with ESMTP id L03273k8LKd8yb for <419@419scam.org>;
Sun, 21 Sep 2008 23:43:17 +0200 (MEST)
(envelope-from: )
Date: Sun, 21 Sep 2008 23:40:54 +0200
Mime-version: 1.0
Subject: [PR] Kaspersky Betatester Programm
From: Matthias Franken
To: <419@419scam.org>
Message-Id: <9212340.EDWNJLIN@kaspersky.de>
Original-recipient: rfc822;419@419scam.org
Content-Type: multipart/mixed; Boundary="--=BOUNDARY_9212340_SIIK_IDLO_OFNM_KSKB"

At the time of writing this blog posting, Kasperksy’s online malware scanner did not yet recognize the Trojan Kaspersky.9.5.7.1.exe in archive file Kaspersky.9.5.7.1.rar.

As I already stated in my posting about the fake Google Chrome installer, do not install software attached to or linked from emails you didn’t request.

The real Kaspersky software is highly regarded and trial versions are available on the Kasperky website.

Beware of fake Google Chrome installer emails

Barely had Google announced its new browser Chrome, that malware senders responded by sending out fake emails claiming to provide an installer for the new software. Here is a German message I received:

From: “Steffen Neukirch” <beta-team@google.de>
To: spamtrap-email-address
Sent: Friday, September 05, 2008 09:26
Subject: [PR] Neuter Webbrowser Chrome erhältlich

Sie benötigen einen JavaScript-fähigen Browser, um diese Software herunterzuladen. Klicken Sie hier, um Anleitungen zum Aktivieren von JavaScript in Ihrem Browser zu erhalten.

Google Chrome (BETA) für Windows
Google Chrome ist ein Browser, durch den die Nutzung des Internets beschleunigt, vereinfacht und sicherer gestaltet werden soll. Dabei bietet der Browser eine hohe Nutzerfreundlichkeit.

Für Windows Vista/XP

Ein Eingabefeld für alles
Bei Eingabe von Text in die Adressleiste erhalten Sie Vorschläge zu Such- und Webseiten.

Miniaturansichten Ihrer am häufigsten besuchten Websites
Rufen Sie Ihre Lieblingsseiten von jedem neuen Tab aus blitzschnell auf.

Verknüpfungen für Ihre Anwendungen
Starten Sie Ihre am häufigsten verwendeten Webanwendungen über Desktop-Verknüpfungen.

Zögern Sie nicht den neuen Webbrower zu testen, im Anhang finden Sie die neuste Version des Chrome
einfach installieren und sofort loslegen.

©2008 Google – Startseite – Über Google – Datenschutzbestimmungen – Hilfe

I checked the attached 705 KB ChromeSetup.rar file with Kasperky’s online virus scanner:

Scanned file: ChromeSetup.rar – Infected
ChromeSetup.rar/ChromeSetup.exe – infected by Trojan-Dropper.Win32.VB.efh

Do not install software attached to or linked from emails you didn’t request. The real Google Chrome (Beta) browser is available at http://www.google.com/chrome

Malware: “Por favor veja isso!!!”

Today I received a couple of near identical emails in Portuguese that differed only by the (forged) sender address:

From: “Fernanda” <fernandinha@globo.com.br>
To: <joewein@pobox.com>
Sent: Thursday, September 04, 2008 06:29
Subject: Por favor veja isso!!!

Você acredita que essas coisas ainda acontecem no Brasil?

Eu não posso acreditar…

Se você quiser, assine e repassse!

Tratamentos Desumanos.wmv (153,0 KB)

Google translation:

Subject: Please see that!!!

Do you believe that these things still happen in Brazil?

I can not believe …

If you want to, sign and pass on!

Inhumane Treatment.wmv (153.0 KB)

The link to what looks like a Windows movie file will try to run a malware installer.

The link in one of the emails goes to http://ceubba.org.ar/chat/data/web/~/anexo/video.wmv, which is actually a directory created by the malware senders on a hacked website. For any directory, the browser resends the request with index.html, index.htm and a few other typical default document names. The criminals named their Windows malwale index.html and placed it into that folder. Because the file starts with an executable program header, Windows will try to run it, rather than using the Windows media player to play it as a video.

Be very careful when clicking on links or attachments in unexpected mail sent to you. Use common sense or a good anti-malware program, ideally both!