FI Fraud: Phishing scam targets PayPal customers, includes malware payload

e-mail purportedly from: services@paypal.com

e-mail address shown: notice@ppl.com

Subject: You have added a new e-mail address for your PayPal account.

Body:

Dear PayPal customer,

You have added karenking06@btinternet.com as a new email address for
your PayPal account.

If you did not authorize this change, check with family members and
others who may have
access to your account first. If you still feel that an unauthorized
person has changed
your email, submit the form attached to your email in order to keep
your original email
and restore your PayPal account.

If you are using Internet Explorer please allow ActiveX for scripts to
perform all data transfers
securely.

Thank you for banking with PayPal.

Please do not reply to this email.
This mailbox is not monitored and you will not receive a response.

----------------------------------------------------------------------------------------

Programs and data held on this system belong or are licensed to PayPal.
It is an offence to access the programs and data unless you are
doing so through your own account using
the Passwords and User ID issued to you by PayPal in an authorised
manner and in accordance with all applicable laws.

---------------------

CoNet Comment:

The form attached to the mail contained a virus.

The message included the following malware as reported by AVG :

Viruses found in the attached files.
* Secure_Form.html: Virus identified JS/Phish.

The mail is sent as an HTML or (in Microsoft's terms) "rich text" mail. This means that code embedded in the message can run when the message is opened or, even, visible in the preview window of an e-mail client. Autorun or autodownload does not operate in messages viewed in plain text, we understand (but readers should check with their own IT departments). In this case, the virus was not in the body of the message but in the attachment and will launch when the attachment is opened.

Note that the mail appears to be targeting UK users of PayPal (BTInternet is a mail service from a UK ISP) but that it appears to have been modified from a non-UK version (-ize and -ise word endings are both used).