Security threats Toolkit

Mimail variant trys PayPal fraud

Andy McCue silicon.com

Published: 14 Nov 2003 15:10 GMT

Users are being warned about a new variant of the Mimail worm on the loose that takes victims to a fake PayPal Web page in an attempt to steal credit card details.

The variant, W32/Mimail-I, hits inboxes with the subject line "Your Paypal.com account expires" and tells the user they need to update their credit card details because of a new security policy being implemented.

But in a twist on the spate of 'phishing' scams in recent weeks, the email tells the victim not to send personal information via email, saying that email is insecure -- and asks them to run an attached program instead.

The attached file, 'www.paypal.com.scr', brings up a pop-up box, with a PayPal logo, that requests a user's credit card details including card number, PIN number and expiry date.

Not only are gullible or unsuspecting users fleeced of their credit card details but Mimail-I sends itself to everybody whose email address appears on the victim's hard disk in order to spread itself.

David Emm, AVERT marketing manager at McAfee, said the worm is currently rated as low-risk but added that the PayPal element is a new twist.

"We have increasingly seen over the last two years things that drop back door Trojans onto systems to gather information but this is the first time we have seen it wrapped up with the whole PayPal scam," he said.

Antivirus firm Sophos reaffirmed its advice to users not to click on Web links or attachments sent in emails that claim to come from banks or financial companies and block all Windows programs such as exe, dll, scr, bat and pif files at the email gateway -- and of course, update your antivirus software regularly.