Malicious Code Phishing Alert: PayPal Traffic Redirection

Websense® Security Labs™ has received reports of a new attack that targets users of PayPal. The attack begins with a spoofed email phishing message that provides a link to download the executable "PayPal security tool" file. The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests for '' will be transparently redirected to a phishing website. This same DNS server could also be used to redirect requests for additional websites, but it currently appears to only redirect ''.

The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site. The web address shown in the browser's toolbar will appear to be correct. Upon log in, the phishing site will request the user update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.

The Trojan Horse is currently not detected by any anti-virus vendors. The malicious DNS server is hosted in Romania while the phishing server is hosted in India. Both were online at the time of this alert. Websense® - Security Labs Alert: PayPal Traffic Redirection

Linked by shanmuga Thursday, 3rd November 2005 10:09PM