Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Phishers Installing Trojans | Main | Even More on Phishers with Trojans »

November 05, 2005

More on Phishers With Trojans

I was so focused on the .exe file mentioned in my previous post that I didn't look that closely at the social engineering aspects of the complete message. The basic approach—"reporting" that they detected unusual login attempts for my account— isn't new. But the quantity of phony detail (some of it ridiculously funny) is new to me, as is the HTML source code of the message.

I therefore display in its entirety, the message as received—but with the offending links to the Trojan downloader removed for everyone's safety:

Security Measures - Are You Traveling?

PayPal is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity.

We recently noted one or more attempts to log in to your account from a foreign country. If you accessed your account while traveling, the attempt(s) may have been initiated by you.

Because the behavior was unusual for your account, we would like to take an extra step to ensure your security and you will now be taken through a series of identity verification pages.

 IP Address  Time
 Country Oct 27, 2005 12:47:01 PDT
Spain Oct 29, 2005 18:37:55 PDT
Spain Nov 14, 2005 16:42:16 PDT
Mexico Nov 15, 2005 16:58:03 PDT

Welcome to the PayPal Security Center. Here, you’ll find the latest information on how to buy and sell safely online. You’ll get tools to help keep you protected. And you’ll learn how we fight fraud 24/7 on your behalf. Stay protected, just click on the link and run the software.

Download ultimate PayPal Security Tool now!

Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account.

We apologize for any inconvenience.

If you choose to ignore our request, you leave us no choise but to temporaly suspend your account.

Thank you for using PayPal! The PayPal Team

PayPal Email ID:

All three links in the original message led to the Trojan .exe file, which is hosted on a Romanian server.

Aside from the occasional misspelling ("choise" for "choice"), the foreknowledge of someone supposedly logging into my account from Mexico 10 days from now is hysterical. But that probably still won't prevent many recipients from clicking on the link, installing the program, and handing their identities over to who-knows.

Posted on November 05, 2005 at 08:06 AM