MiMail Variant Poses as Legit PayPal E-Mail

With more than mere reputation on the line, virus writers are using the MiMail worm as the basis for more advanced attacks aimed at identity theft.

Security experts said the latest MiMail-I variant –which spoofs official PayPal correspondence — began to spread early Fridaymorning, and while it is not considered a particularlydangerous outbreak, it does mark a troubling trendaway from virus-writing notoriety and toward profit asthe motivation for creating malicious software — or”malware.”

Virus writers, crackers and other digital infiltrators have long used tricks referred to as “social engineering” to convince users to divulge personal and sensitive data unwittingly, but the most recent MiMail worm — only the latest in a series of sophisticated attacks — displays just how authentic malicious software can appear to be.

“They are more difficult to spot, more carefully socially engineered and more carefully constructed, especially in banking theft,” iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

Malware Masquerade

While the company had only blocked about 2,000 copiesof MiMail-I as of Friday, MessageLabs CTO Mark Sunnertold TechNewsWorld that the worm — which arrives asan e-mail attachment with a double extension that endsin “.asp.scr” or “.com.scr” — indicates a higherlevel of trickery.

Sunner said worms that steal passwords or more critical information are becoming more complicated and more convincing as they emulate corporate Web sites and communications.

The latest bogus e-mail — which triggers an attached program that displays a PayPal input window — features a PayPal logo and, in an effort to appear valid, warns recipients not to reply to the message with their sensitive personal information, which is sound security advice.

“To avoid any interruption in PayPal services then you will need to run the application that we have sent with this e-mail (see attachment) and follow the instructions,” the phony message states. “Please do not send your personal information through email, as it will not be as secure.”

Profit over Props

While the impersonation aspects of the worm mark amore sophisticated threat, security experts alsoindicated the MiMail variants represent a trend awayfrom the traditional motivation of reputation andtoward monetary enticement through identity theft.

“MiMail reveals a new and dangerous trend — a migration of motive away from notoriety toward criminal gain,” Dunham said. “Identity theft is a growing problem with the market for stolen credit cards emerging worldwide.”

Sunner said the current trend in identity theft scamsis to introduce ever more complex computer code thatis designed to capture individuals’ credit-cardnumber, PIN, expiry date and even the three-digitsecurity code information on the back of most creditcards.

Demand Trumps Deterrence

Dunham said the latest MiMail variant, which spreads by e-mailing copies of itself to e-mail addresses harvested from infected computers, continues a trend of “carefully planned, sequential attacks” that break from the tradition of copycat or script-kiddie viruses.

“When we talk about sequential, planned attacks on banking and identity theft, we’re talking about how the market is now growing for that information,” he said.

Dunham reported that four hard-coded e-mail addressesused to siphon credit-card information via the latestMiMail variant came from the Czech Republic andMoscow, Russia. He also said a recent bounty on viruswriters issued by Microsoft might helpdeter lower-level virus writers, but that perpetratorswho use malicious code for illegal profits are mostlikely undeterred by such efforts.

More To Come

Organizations were advised to filter against the MiMail variant file types (.asp.scr or .com.scr) and MIME data associated with the worm, but face a challenge because of the “inherent trust in clicking on links” in such cases, Dunham said.

IDefense found that the last “wave” of MiMail attacks began October 31 and resulted in at least six variants in three days, leading to industry-wide predictions about more variants to come.

“We’re going to see more of this masquerade attack because there’s a market for it and because of the variety of means that are very successful,” Dunham predicted. “If it works, we’ll see more of it from a broad range of attackers.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels