Have you received a threatening notification in which you were told about a debt to PayPal’s BillMeLater service? If you have, you should know that you are a target of a cybercriminal scheme whose main goal is to spread a nasty Trojan.
Bearing subject lines such as “Immediately pay off the debt!”, “We will file a charge against you.”, or “You must immediately pay off the debt!” the emails read something like this:
We notified you several times about your debt to Bill Me Later.
In the event that you fail to voluntarily satisfy our requirements for payment of your debts to Bill Me Later, we will have to turn to the court with the purpose of enforced collection of the debt, which may entail additional expenses for you.
For example, the expenses in the amount of safe duty, the cost of representative’s services for the compearance, the compensatory interest for the use or detention of money for each day of delay and execution fee.
Based on the foregoing we offer you to pay the debt in the amount of $349.00
The bottom of the notification contains a “PRINT THE INVOICE” button, which, according to MX Lab
experts, leads to a website that’s designed to serve an archive file - INVOICE_FORM.zip
– that hides a malicious payload.
Once it’s decompressed, the .zip file reveals an executable named INVOICE_FORM.exe.
This is actually a new version of the Trojan identified by Kaspersky as HEUR:Trojan.Win32.Generic.
Currently, only 6 of the antivirus companies present on VirusTotal identify the file as a threat.
While this particular notification appears to be perfectly designed, containing all the appropriate logos and seemingly originating from eBay, if we take a close look at the actual message, it’s clear that it’s not legitimate.
We advise users to check out all the details of such emails before rushing to click on the links they contain.