Global security vendor Proofpoint says the message from PayPal is legitimate – it is a “You’ve got a money request” that comes from PayPal. The sender does not appear to be faked: instead, the spam is generated by registering with PayPal (or using stolen accounts) and then using the portal to request money.
Email clients like Gmail and others don’t block legitimate PayPal emails – because they are not spoofed. The malicious URL is included in a kosher looking note that purports to provide proof of the transaction request.
Clicking on the link has two effects – it debits your account for $100, and it infects your Windows system with the Chthonic Trojan.
Proofpoint researchers also noticed that Chthonic would also download another module called AZORult. At this time, there are no details on what this module does, and Proofpoint researchers are still investigating its code.
Kevin Epstein, Proof Point’s vice-president, threat operations, said, "This isn't the first time that we've seen threat actors use legitimate services to distribute malware. However, this attack is carefully engineered to not just bypass traditional defences because the messages come from PayPal but also to trick users into paying and clicking through malicious links.
"These kinds of threats are difficult to catch at the client level. Instead, organisations need to be able to dynamically scan URLs at the network/email gateway and detect communication with command and control infrastructure. Of course, user training should come into play as well."
While the campaign is low intensity at this stage, it appears that we cannot trust any organisation that communicates via email – that bodes well for Australia Post and the humble, not so cheap, letter or Telstra and faxes!