Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Fake PayPal Account Verification E-mail Messages on March 31, 2010

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:19997
Version:2
First Published:2010 February 24 14:48 GMT
Last Published:2010 April 01 13:17 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Harassment
 
 
Version Summary:

Cisco Security has detected significant activity on March 31, 2010.

 

Description
 

Cisco Security has detected significant activity related to spam e-mail messages that claim to contain information about the recipient's PayPal online payment service account.  The text in the e-mail message instructs the recipient to verify account details by following a link.  However, the link contains a malicious .scr file that, when executed, attempts to infect the recipient's system with malicious code.

E-mail messages that are related to this threat (RuleID2648 and RuleID2682) may contain the following file: updatePayPal.scr

The updatePayPal.scr file is 101,739 bytes in size.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xBD7E021C0C7E7EFB5B9A74D63AD1A92A

Another variant of the updatePayPal.scr file has a file size of 101,703 bytes and an MD5 checksum with the following string: 0x7AB4A0968D56B0EA2B8F86B4DEB63B48

The following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: Fwd: Update your PayPal account

Message Body:

Your account has been flagged!
PayPal Security Measures.
Error! Filename not specified.
Dear PayPal Member,
Error! Filename not specified.
Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Paypal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your information at this time, please visit our secure server webform by clicking the hyperlink below:

Click here to verify your Information

If you choose to ignore our request, you leave us no choice but to temporarily suspend your account.
Thank you for your patience as we work together to protect your account.

Please do not replay to this e-mail. To modify your notification preferences, log in to your PayPal account, click the Profile sub-tab, then click the Notifications link under Account Information. Changes may take up to 10 days to be reflected in our mailings. PayPal will not sell or rent and of your personally identifiable information to third parties. For more information about the security of your information, read our Privacy Policy at hxxps://www.paypal.com/privacy.
Error! Filename not specified.
Copyright ? 2009 PayPal Inc. All rights reserved. Designated trademark and brands are the property of their respective owners. PayPal is located at 2211 N. First St., San Jose, CA 95131.

Cisco Security analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide.  This data helps provide a range of information about and analysis of global e-mail security threats and trends.  Cisco will continue to monitor this threat and automatically adapt IronPort systems to protect customers.  This report will be updated if there are significant changes or if the risk to end users increases.

Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures.  E-mail that is managed by Cisco and end users who are protected by Cisco IronPort web security appliances will not be impacted by these attacks.  Cisco IronPort appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco Threat Operations Center
Cisco SenderBase Security Network

 
Alert History
 

Version 1, February 24, 2010, 9:48 AM: Cisco Security has detected significant activity on February 23, 2010.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield