Sponsored by..

Monday, 11 November 2013

"Identity Issue #PP-716-097-521-587" spam / Identity_Form_04182013.zip

For some reason EXE-in-ZIP attacks are all the rage at the moment, here is a fake spam pretending to be from PayPal with a malicious attachment:

Date:      Mon, 11 Nov 2013 19:14:10 +0330 [10:44:10 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-716-097-521-587

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-D503YC19DXP3

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.



CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP51954 
Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which as you might guess is malicious. VirusTotal detections are 16/47, and automated analysis [1] [2] shows an attempted connection to trc-sd.com which is the same domain seen in this attack.

No comments: