A highly sophisticated PayPal email scam has been uncovered that is being used to deliver banking malware. Rather than promise the email recipient a sum of money or the opportunity to claim an inheritance from a long lost relative, this PayPal email scam claims a payment has been made to the victims account and that the money needs to be refunded.

The scam emails say that $100 has been fraudulently sent to the victims account and a refund is requested. The emails contain PayPal logos and appear to have been sent directly from PayPal. The emails appear to have been sent from the members@paypal.com email account. The message contains the subject line “You’ve got a money request”.

It is not clear how the attacker has managed to spoof the PayPal email account, or how the email manages to bypass the spam filter of Gmail.

If the victim responds to the email and makes the payment they will have lost $100; however, that is not all. The victim will also have malware loaded onto their computer. The malware will be loaded automatically regardless of whether the payment is made.

A link is contained in the email which the user must click to find out more about the transaction. The link contains a shortened URL and directs to a document detailing the transaction. The document has a goo.gl address and the link appears to be a jpeg image of the transaction details.

However, clicking the link will result in a javascript (.js) file being downloaded onto the victim’s computer. The script will download a flash executable file, which will install the malware if it is run.

Chthonic Banking Malware Delivered via PayPal Email Scam

The malware that is installed is a variant of the infamous Zeus banking malware – Chthonic. This malware has been programmed to inject its own code and images into banking websites. When the victim visits their online banking website the malware captures login names, passwords, PIN numbers, and answers to security questions. Many banking malware variants target a small number of financial institutions; however, Chthonic is capable of recording information entered into more than 150 different banking websites. Victims are primarily in the UK, US, Russia, Japan, and Italy.

Chthonic isn’t the only malware delivered. Researchers at Proofpoint have determined that an additional previously unknown malware variant called AZORult is also installed onto victims’ computers. Little is known about this new malware variant.