Websense Security Labs has reported the problem which begins with a spoofed email message that provides a link to download the executable 'PayPal security tool' file.
The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests are then transparently redirected to a bogus website.
This same DNS server could also be used to redirect requests for additional websites, but currently appears to redirect only PayPal subscribers.
The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site even though the web address shown in the browser's toolbar will appear to be correct.
When the user logs in, the phishing site requests that they update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.
Below is a section of one of the malicious phishing emails being used:
'Security Measures - Are You Traveling?
PayPal is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity.
'We recently noted one or more attempts to log in to your account from a foreign country. If you accessed your account while traveling, the attempt(s) may have been initiated by you.
'Because the behavior was unusual for your account, we would like to take an extra step to ensure your security and you will now be taken through a series of identity verification pages.'
The Trojan is currently not detected by any antivirus vendors. The malicious DNS server is hosted in Romania, while the phishing server is hosted in India.
Use the same password for every website? It might be time to change them all
Applicants for parking bay suspensions put at risk of credit card fraud by Islington Council
Robert Swan appointed interim CEO after Brian Krzanich's departure
Should you link your data sets to add value, or leave them separate to reduce risk?