Information Security Bulletin

PayPal Pharming Attack

09 Nov 11:52

Major organisations have been the target victims of phishing attacks, but the latest amalgamation between pharming and phishing is making for a deadly combination. By poisoning the actual DNS server a pharming attack can easily lull the victim into a false sense of security, duping them into accessing what looks like an official web address.

This latest attack on PayPal shows just how easy this can be:

Websense Security Labs has received reports of a new attack that targets users of PayPal. The attack begins with a spoofed email phishing message that provides a link to download the executable "PayPal security tool" file. The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests for 'paypal.com' will be transparently redirected to a phishing website. This same DNS server could also be used to redirect requests for additional websites, but it currently appears to only redirect 'paypal.com'.

The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site. The web address shown in the browser's toolbar will appear to be correct. Upon log in, the phishing site will request the user update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.

The malicious DNS server is hosted in Romania while the phishing server is hosted in India. Both were online at the time of this alert.

Sample phishing email body:
------------------------------------------

Security Measures - Are You Traveling?

PayPal is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity.

We recently noted one or more attempts to log in to your account from a foreign country. If you accessed your account while traveling, the attempt(s) may have been initiated by you.

Because the behavior was unusual for your account, we would like to take an extra step to ensure your security and you will now be taken through a series of identity verification pages.

IP Address Time Country
80.69.115.16 Oct 27, 2005 12:47:01 PDT Germany
80.69.115.16 Oct 29, 2005 18:37:55 PDT Germany
217.160.77.45 Nov 14, 2005 16:42:16 PDT United Kingdom
217.160.77.45 Nov 15, 2005 16:58:03 PDT United Kingdom

Click here to download PayPal security tool

Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.

We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choise but to temporaly suspend your account.

Thank you for using PayPal! The PayPal Team
------------------------------------------

Sample screenshots are available within the full alert details at the URL below.

Related links: (Open in a new window.)
www.websensesecuritylabs.com/alerts/alert.php?AlertID=329

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!