Security: New PayPal Virus Quakes Industry

Banking Wire

Karen Krebsbach

January 14, 2004

Paypal is fighting off a new e-mail worm, Mimail.J, which displays a fake PayPal credit card verification window to accountholders. Industry observers, noting that 10 new viruses are found daily on the Web, say Mimail indicates a new breed of Cybercriminal focused on financial gain rather than merely on-line disruption.

The Mimail.J e-mail, believed to have originated in France, has hit at least a dozen U.S. businesses, including several U.S. and U.K. banks, which has "resulted in varying levels of identify theft for their customers," according to MessageLabs, a managed e-mail security services firm. MessageLabs declined to identify the banks or to clarify the extent of the ID theft.

However, a Amanda Pires, a spokeswoman for the five-year-old PayPal, which has 35 million account members worldwide, says the firm's automated monitoring center intercepted the virus shortly after the initial November outbreak. PayPal is now working on proprietary software to block such e-mails in the future. "We take this very seriously," she says. She declined to release the number of accountholders who were affected. The firm's Web site also warned accountholders about the problem and provided a list of security tips to ensure account data is not released to unauthorized personnel.

The worm, which was first seen by MessageLabs on Nov. 17, arrives as an attachment to an e-mail called either InfoUpdate.exe or www.paypal.com.pif, and says "problems with your PayPal account" in the subject line. When launched, the worm displays a bogus PayPal credit card verification window, and has this message: "We regret to inform you that your account is about to be expired in next five business days. To avoid suspension of your account you have to reactivate it by providing us with your personal information. To update your personal profile and continue using PayPal services, you have to run the attached application to this e-mail. Just run it and follow the instructions. Important! If you ignore this alert, your account will be suspended in next five business days and you will not be able to use PayPal anymore."

The information entered into this window is then saved in a file named ppinfo.sys, which is subsequently sent to a remote server. The worm spreads by emailing copies of itself to addresses harvested from the infected computer.

The message purportedly from banks asked accountholders to confirm their bank log-in codes, bank account numbers and passwords, says MessageLabs CTO Mark Sunner, who urges all banks and payment companies to notify their customers about potential e-mail scams. "We've seen a spate of this lately, which suggest it's working," he says. "The perpetrators keep doing it, so they probably have a level of success."

The e-mails referred to Web sites that looked authentic, says Sunner, but in many cases, the domain names didn't resemble the presumed domain: It would says amcn4a.MaIl333.CoM instead of https://online.bankname.com. Also missing was the standard padlock icon in the lower left-hand corner of a Web page browser bar. A third difference was the log-on section, which would ask for the full word of one's password rather than for two different letters.

Sunner believes this worm is an example of "a new and sinister trend emerging within the virus writing community. ... Historically, viruses have primarily been written by misguided young adolescent males with either malicious intent, a chip on their shoulder or a desire for notoriety amongst their virus writing pals. What we are beginning to see now is a shift towards actual fraud, where financial gain by deception is the primary objective. The resulting viruses have a 'hit and run' style approach, and are not engineered to have any longevity. Instead they rely on duping a crop of unsuspecting users before a new variant is released and the process begins again."

MessageLabs says it is seeing an increase in the vaunted "dictionary attacks" that seek to harvest user passwords and then hijack machines to send out spam and/or steal personal data, such as credit card information. "We first saw this kind of e-mail over a year ago-the Nigerian scam where they're trying to dupe someone into handing over their account details is one example-so it's not new," says Summer. "However, what is new is that someone is now using a virus as a delivery mechanism because it spreads more rapidly." This method also provides anonymity to the sender.

"The viruses we're seeing as of late are deliberately engineered to get through traditional antivirus technology," says Sunner. "The kind of software most people run on their desktop [computers] is very reactive in nature, requiring updates and patches when a new virus appears, rather than proactive. What we're seeing now is that virus writers are exploiting the reactive nature of traditional products by changing the encoding virus every time they send it. By the time the traditional antivirus companies respond with a new patch, there's a time lag-and a window of opportunity."

Paypal says it will continue to push virus awareness through education, including postings on its Website, "where we have communication on our home page," says Pires. "We're looking to give people tools to monitor their accounts. Soon we will have a technology coming out that will help them do that." She declined to elaborate on that software. She notes, however, that customers are not responsible for any unauthorized spending in their accounts. The Mountain View, CA- based firm was acquired by eBay in 2002.

For more information visit http://www.thomsonmedia.com

Copyright 2004 Thomson Media Inc. All Rights Reserved. Distributed by FluentMedia, a service of Tribune Media Services. Copyright (c)2004 by Tribune Media Services