Emails purporting to be from Paypal claim that the recipient has sent a payment to a person or vendor. The recipient is instructed to click a link to view or confirm transaction details.
The emails are not from Paypal and the claim that a payment has been sent from the recipient’s account is a lie. Links in the emails open compromised websites that harbour information-stealing malware.
Subject: You’ve sent a payment
You sent a payment Transaction ID: 4BK71319AT361831A
Dear PayPal Customer,
You sent a payment for 931.09 AUD to Ray [Surname Removed].
Please note that it may take a little while for your payment to appear in the Recent Activity list on your Account Overview. View the details of this transaction online
Your monthly account statement is available anytime; just log in to your account at [link removed]. To correct any errors, please contact us through our Help Centre at
Amount: 931.09 AUD
Sent on: 30 May 2012
Payment method Credit Card Payment
Subject: Receipt for your payment to AVG
You sent a payment of 90.00 USD to AVG.
This charge will appear on your credit card statement as payment to PAYPAL *AVGANTS
Seller AVG Technologies
Note to seller You haven’t included a note
. Description Unit price Qty Amount
AVG Anti-Virus 2012 45.00 USD 2 45.00 USD
Shipping and handling 0.00 USD
Tax 0.00 USD
Total 90.00 USD
Do you confirm this payment?
If this payment was not made by you please immediately take the following steps:
* Login to your account by clicking on the link below :
* Provide requested information to ensure you are the owner of the account
* After you did the previous steps the order will be cancelled.
* We will refund your money to you and the payment will deleted from transactions history.
According to these fraudulent emails, the recipient has recently sent a substantial payment via his or her Paypal account. Details in the scam emails vary, with some claiming that the money has been sent to purchase software or other items while others claim that the money has been sent directly to a named individual.
The messages are designed to look like genuine Paypal emails and include seemingly genuine Paypal logos and formatting. The emails use spoofed addresses to make it appear that they have been sent from Paypal.com.
However, the emails are not from Paypal and the claims that the recipient has sent a payment via Paypal are untrue. In fact, all links in the bogus emails open compromised websites that ask the user to wait while the page finishes loading.
But, alas, the Paypal website will not load as the user expects. Instead, the page will automatically redirect the visitor to another website that contains a version of the Blackhole Exploit Kit. BlackHole is a web application used by criminals to exploit browser vulnerabilities as a means of downloading and installing trojans and other types of malware.
The criminals responsible for this operation hope that at least a few recipients will be panicked into clicking the links in the bogus emails in the mistaken belief that their Paypal account or credit card has been compromised. If a recipient does fall for the ruse and follow one of the links, a trojan may be downloaded and installed on his or her computer. This trojan may monitor web browser use and collect usernames and passwords including online banking login details. This information can then be sent back to the criminals.
Online criminals have recently carried out a number of similar attacks with the aim of fooling users into visiting websites that host the BlackHole Exploit Kit. At the time of writing, bogus Verizon Wireless bills that lead to Blackhole Exploit Kit sites continue to be distributed.
Earlier in 2012, a series of malware emails purporting to be airline flight confirmation messages again pointed recipients to compromised sites that harboured BlackHole. And, in December 2011, fake Amazon.com order notifications were distributed that also contained links to BlackHole websites.
BlackHole is a widely used criminal toolkit and such attacks are likely to continue. Be very cautious about clicking links in emails, even if they appear to be legitimate. Some such attacks are quite sophisticated and it may be difficult – at least without careful examination – to tell the difference between a bogus email and a genuine notification.
Rather than click on email links, it is safer to open your browser and go to the service provider’s website directly by entering the web address. And, of course, always ensure that you have installed the latest security updates for your browser and operating system and have up-to-date antivirus and anti-malware protection on your computer.