VirusHTML/Pay.V20!phish
Analysis
- Arrives as a HTML email with a varied subject line. An example of the subject line is as follows:
PayPal Notification ( Your account is suspended )
- The email contains an official looking message. The source of the message is supposedly from PayPal itself.
- Inside the official looking message will be a hyperlink that, on the surface, looks like it points to the actual PayPal web site. This link only looks that way -- underneath it points to a different web site altogether.
- When the link is clicked a browser window opens taking the user to a website located at an IP address different than that to what the user expects.
- At this site the user will be presented with an official looking login form where the user is asked to input the Email Address and Password that are associated with the PayPal account.
- If a user enters in their PayPal account data, the information is recorded and transferred to a malicious second party.
Recommended Action
- Don't click on hyperlinks to financial institutions in email messages - always open an instance of a new Internet browser and navigate to the financial institution by typing in the web address.
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
