Our Honeypot system has recently detected a sophisticated spyware spreading campaign which takes advantage of PayPal’s popularity. The campaign’s first phase is falsifying PayPal to send out spam emails attached with virus.
These emails are perfect copies of a real email from PayPal. They are identical in sender’s address, subject and content.
Picture 1: Email faking to be from PayPal
When credulous users open the attached file, a dangerous trojan will be installed on their computers (dubbed W32.Spypal.Spyware by Bkav). Upon its execution, Spypal will collect sensitive information stored on its victim, including:
- Details about the operating system being used: version, configuration
- Login credentials of accounts on the victim computer
- User/Password of popular apps like: Easy FTP, Direct FTP, Chrome, Mozilla Firefox , Opera, Microsoft Outlook, Windows Live Mail, PuTTy, etc.
After this information collecting phase, the trojan sends such information about the system and login accounts to hacker’s command and control server through HTTP protocol.
When the sending is completed, the next action of the trojan is downloading another trojan to preserve its existence on the victim computer, continuing stealing user’s information.
With these activities, it’s impossible for normal users to know about their computers’ being infected without the help of antivirus software.
Normal users should be cautious when receiving notification emails concerning account credentials or personal information, especially those with attachments. If the attachments are to be opened, use updated antivirus software to scan.
Pham Cong Hieu