According to researchers, emails with malicious attachments significantly rose in the first quarter of 2016 compared to the same time period in 2015.
This rise of email as a vector implies that criminals are shifting away from malicious website infections because web browser security has increasingly improved. Old web plugin standards, like Flash and Java, that used to be gateways for attacks are slowly being phased out. Additionally, built-in safe browsing and anti-phishing mechanisms in browsers are now being implemented.
Due to this change in web browser security, criminals are constantly looking for brand new ways of infecting victims.
One novel way, as security researchers in Proofpoint found out, is by concealing malware within legitimate emails from PayPal, a popular online payment system. If you are a PayPal user, look out!
The scary part about this new method is that the emails are not getting flagged by antivirus and antimalware software because they are authentic emails from PayPal. Proofpoint suspects that attackers are using registered PayPal accounts to execute this scheme. They are exploiting PayPal's feature that allows users to add notes when sending money request emails.
This is how it works. Attackers will send a money request with a note pointing to a malicious link via PayPal. PayPal itself then sends an email to the targeted user. Email does not get flagged nor blocked because it is legitimately coming from PayPal. If the victims fall for it and click the link, they will be redirected to a non-PayPal website that houses the malware.
"In a double whammy, the recipient here can fall for the social engineering and lose $100, click on the link and be infected with malware, or both."
The researchers also note that Chthonic downloads another malware payload, "AZORult," after execution. Proofpoint is currently investigating this previously undocumented malware.
Is there a cause for concern for PayPal users? Proofpoint says that although the attack is not widespread yet (the malicious link only has 27 clickthroughs according to Google Analytics), this technique is "both interesting and troubling."
Users without any sort of anti-malware software that protects against malicious links could be highly affected. The social engineering aspect of the attack by disguising money extortions with legitimate emails is another cause for concern.
Proofpoint says they have informed PayPal of this new method of attack, so hopefully, this will be contained soon.