Your Account has been Limited! Identity Issue PP-658-119-347 - Phishing mail

Phishing email targeting PayPal customers to steal user account information.

Below seen is the mail I received today which claims to be from PayPal. It says my PayPal account has been limited, and to restore my account access asks me to fill in the attached form.

The attached form “PP-658-119-347.htm” is an html file containing obfuscated java script.

Deobfuscation shows the original script used to collect personal information of the user.

On opening the mail attachment it displays a page similar to PayPal profile update. Its an html file well designed to look similar to PayPal. How do we know that? Here you haven’t logged into any account using your credentials but still you can see the logout button below as if you have logged in. Also, remember you have opened an HTML file not the original website check your address bar.

It collects basic profile information along with your PayPal password. Next page it checks which country you belong to. If you’re from US you will be prompted with additional box asking for “Social Security Number.” If Sweden prompts for “Personal identity number.” Likewise it displays based on the Country.

Finally it asks you to enter Credit/Debit card information. It even validates the input field if you try to ignore or enter invalid data it will pop up an alert message.

So, Where does it sends these information? The answer can be found below. It will POST the collected information to a remote site. The remote site may be a compromised site. Once account information are collected the hacker will use it.

Beware of these phishing email scams and avoid entering your personal information when prompted through email. Always go to the trusted secure site to update your personal and financial information.

Windows Personal Doctor – FAKE AV a new variant of Windows Personal Detective/ Windows Basic Antivirus

Windows Personal Doctor is the latest rogue security product spreading across the internet. Once infected with this Fake AV it terminates running instance of several security related process. Will display annoying fake alerts saying your system is infected. Usually these Fake AV’s are distributed through malicious domains, here the domain is security-safe-2012-ddgfdgff.info/cba49fa4efefc673/setup.exe. This 'setup.exe' is an archive containing the file '4fpx4r7s6b2f184.exe' you can extract it using 7-zip. Again '4fpx4r7s6b2f184.exe' is a password protected archive containing the original malware "Filesystemscan.exe". The reason for malware using multiple layer of protection is to evade from signature detection.

Filename: Setup.exe

MD5: AC0B10D6D112357731760EDAED700AEF

SHA-1: 17A1C899A0973BDDFEC0AA7A872720C75191390E

Filename: Filesystemscan.exe

MD5: 35A925E1586B5413932651E82F559EDF

SHA-1: B89A960E739DAC209F6E2F91EC8D5A1367BDAE6C

The “Filesystemscan.exe” upon execution does the following system changes,

C:\Documents and Settings\Administrator\Application Data\Protector-yiw.exe               

C:\Documents and Settings\Administrator\Application Data\result.db

C:\Documents and Settings\Administrator\Desktop\Windows Personal Doctor.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Windows Personal Doctor.lnk

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegedit 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableRegistryTools

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System   DisableTaskMgr

HKCU\ Software\Microsoft\Windows\CurrentVersion\Run         Inspector \Application Data\ Protector-yiw.exe

It disables Windows Defender Service (WinDefend) and Microsoft Protection Service (msmpsvc). Also, prevents the user from running several security tools in the infected PC.

It does a fake scan on the system and shows some infection has been indentified but its all fake, they are designed to show some results so that people will fall prey for it. To make the user believe it inherits some of the legit system functions like Service Manager, Autorun(Startup) Manager, Process controller, etc.

Above seen results are predefined and they are retrieved from the file result.db and displayed. We already know result.db is dropped by this Trojan. So, it’s all fake to trick you buy the rogue product. Below seen is the hex view of result.db showing the data used for displaying in the fake results.

When you try to get rid of the infection by clicking remove all or clicking anywhere on the rogue program you will be only prompted with a window to activate the product.

Don’t ever enter your personal details when prompted by these rogue product; you will lose your money. Below seen is the fake payment window used by the Trojan to collect user Credit card and personal information.

Sites contacted by this Trojan:

http://galaint.online-secure-pay.info

http://online-secure-pay4.info/service/