Spamvertised 'PayPal payment notifications' lead to client-side exploits and malware

Spamvertised 'PayPal payment notifications' lead to client-side exploits and malware

Summary: A currently spamvertised malicious campaign is impersonating PayPal in an attempt to trick end and corporate users into clicking on exploits-serving links.


PayPal users, beware! A currently spamvertised malicious campaign is impersonating PayPal in an attempt to trick end and corporate users into clicking on exploits-serving links found in the emails.

Upon clicking on the links, users are exposed to the client-side exploits served by the most popular Web malware exploitation kit currently in use by cybercriminals - the BlackHole exploit kit.

The campaign ultimately drops the following MD5: 4f58895af2b8f89bd90092f08fcbd54f currently detected by 17 out of 42 antivirus vendors.

Who's behind this campaign? Over the past couple of months, a single cybercriminal, or a gang of cybercriminals have been systematically rotating the impersonation of multiple companies in an attempt to trick end users into clicking on their exploits-serving links.

So far, the gang has impersonated U.S Airways, Verizon Wireless and LinkedIn, and the campaigns show no signs of slowing down.

End and corporate users are advised to ensure that they're running the latest versions of their third-party software, and browser plugins in an attempt to avoid being exploited by the BlackHole web malware exploitation kit.

Topics: Security, Banking, Enterprise Software, Malware

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where is DeRSSS to tell us about weird URLs?

    Come on DeRSSS, just don't go to weird URLs that pretend to be PayPal URLs and you are fine. So this malware doesn't count, right? You have to be twice clueless to fall victim to this, right?

    No, something tells me DeRSSS will be silent on this one even though he has posted on other stories today.
    • That's eactly what the atackers want people to think.

      Just don't visit anything funny and you would be safe. The web has more than just some "Ghetto neborhoods" that you can just avoid. Social engineering is the penultimate in anti-security methods. You don't even have to visit web sites to get spam email. Infected drone computers called a bot net can send spam to thousands and thousadns of email addresses even if these people never actually visited a nefarious website. Example, a friend of yours caught a worm while doing a non nefarious web search to do a college paper. This worm then gets a hold of all the email addresses in your address book and starts spaming emails to these addresses. using web email such as yahoo or gmail is not safer, in fact these are the services that attackers like to use when sending spam attacks. It's a numbers game. If a paypal user is not aware of the ploy they will definately click the link. It's not that people are dumb, just not informed. This why spam email is so pomenant. But it does not just stop at spam. Everything from Winner ad banners, to "false virus scanners" are even used.
    • Sounds like toddytroll has a personal problem

      Especially when DeRSSS has nothing to do with the topic at hand.

      You can do a better troll than this. :p
  • I didn't spend that much

    The biggest clue they give you is that four or five of these arrive at a time. Doofuses.
    Robert Hahn
  • localized versions

    Since this year, localized versions of these PayPal mails are circulating. I got a hilariously bad translated email instructing me to update my PayPal account - in dutch. If I translate it back to English, it reads:
    He brought attention that your PayPal account is outdated. This requires you as soon as possible your data. This update invoicing and statement on security from PayPal, is bound by regulations and conditions (TOS) to avoid fraude on our website. Please update your administration: if you update your administration can lead to suspension of your account.
    The link leads to a dutch site