Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    A new fake PayPal email message is being spammed — this time, it is not the typical PayPal phishing email that everyone is accustomed to. Instead of including links asking for the recipient’s personal information, this spammed message asks users to open a .ZIP attachment.

    The spam reads like so:

    Dear member,
    As part of our security measures, we regularly screen activity in the PayPal system.

    We have reason to believe that you account was accessed by a third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this termporary limitation is for your protection. Please review the report that we have attached to this email to see who accessed your account and contact us promptly if anything is unusual.

    Cas ID Number: {case ID number}

    Thank you for your patience as we work together to protect your account.

    PayPal Account Review Department
    PayPal Email ID PP2310

    It informs recipients that their PayPal accounts were hacked, and that some fraudulent activity may have occurred. As part of security measures, “PayPal” is asking users to review the “report” in the .ZIP file and then contact the company if anything unusual is discovered.

    The attachment that arrives with this spam, however, does not contain a report or any similar information.

    Inside the .ZIP archive is a worm that infects the recipient’s computer upon execution.

    Figure 2. Users expecting a document may be surprised to see that file contains an executable.

    Detected by Trend Micro as WORM_POISON.LA, this malicious executable has routines that are related to the (now infamous) peer-to-peer file-sharing application Kazaa.

    Other PayPal-related spam runs include the following:

    The Trend Micro Smart Protection Network already blocks the spammed PayPal message, keeping users’ PCs away from its malicious attachment. It also detects WORM_POISON.LA and provides solutions for its cleanup and removal. Users are strongly advised to refrain from downloading and executing files found in unsolicited email messages.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Antivirus

      As a LONG time PayPal user, I suppose I should be grateful that I have never been the victim of one of these attacks. I would have liked to see the body of this email, just to get a look at how accurate the HTML was, as compared to actual PayPal emails.

      A side note: For a long time, Paypal had its site accessible by the domain name It was legitimate and secure, but a lot of people used to think that the site was a phishing scam and wondered why it wasn't taken down. Recently, was finally changed to direct to paypal labs. What a dreary use of an excellent domain name!

    • Pingback: Beware of Fake PayPal E-Mail Message Installs Worm | ReadersZone()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice