Romanian website attempts to steal password data
vnunet.com, 04 Nov 2005
A new phishing attack is targeting PayPal users, redirecting them to a fake site in an attempt to collect password details.
Websense Security Labs has reported the problem which begins with a spoofed email message that provides a link to download the executable 'PayPal security tool' file.
The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests are then transparently redirected to a bogus website.
This same DNS server could also be used to redirect requests for additional websites, but currently appears to redirect only PayPal subscribers.
The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site even though the web address shown in the browser's toolbar will appear to be correct.
When the user logs in, the phishing site requests that they update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.
Below is a section of one of the malicious phishing emails being used:
'Security Measures - Are You Traveling?
PayPal is committed to maintaining a safe environment for its community of
buyers and sellers. To protect the security of your account, PayPal employs some
of the most advanced security systems in the world and our anti-fraud teams
regularly screen the PayPal system for unusual activity.
'We recently noted one or more attempts to log in to your account from a foreign country. If you accessed your account while traveling, the attempt(s) may have been initiated by you.
'Because the behavior was unusual for your account, we would like to take an extra step to ensure your security and you will now be taken through a series of identity verification pages.'
The Trojan is currently not detected by any antivirus vendors. The malicious DNS server is hosted in Romania, while the phishing server is hosted in India.
Security update fixes spoofing and arbitrary code execution, says Mozilla
Fewer than one in 10 score top marks
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Surviving veterans of the code-breaking facility to receive badge of...
Telco begins major rollout in 69 locations across the UK
Do you agree?
Have your say on this article