MiMail Variant Poses as Legit PayPal E-Mail

With more than mere reputation on the line, virus writers are using the MiMail worm as the basis for more advanced attacks aimed at identity theft.

Security experts said the latest MiMail-I variant -- which spoofs official PayPal correspondence -- began to spread early Friday morning, and while it is not considered a particularly dangerous outbreak, it does mark a troubling trend away from virus-writing notoriety and toward profit as the motivation for creating malicious software -- or "malware."

Virus writers, crackers and other digital infiltrators have long used tricks referred to as "social engineering" to convince users to divulge personal and sensitive data unwittingly, but the most recent MiMail worm -- only the latest in a series of sophisticated attacks -- displays just how authentic malicious software can appear to be.

"They are more difficult to spot, more carefully socially engineered and more carefully constructed, especially in banking theft," iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

Malware Masquerade

While the company had only blocked about 2,000 copies of MiMail-I as of Friday, MessageLabs CTO Mark Sunner told TechNewsWorld that the worm -- which arrives as an e-mail attachment with a double extension that ends in ".asp.scr" or ".com.scr" -- indicates a higher level of trickery.

Sunner said worms that steal passwords or more critical information are becoming more complicated and more convincing as they emulate corporate Web sites and communications.

The latest bogus e-mail -- which triggers an attached program that displays a PayPal input window -- features a PayPal logo and, in an effort to appear valid, warns recipients not to reply to the message with their sensitive personal information, which is sound security advice.

"To avoid any interruption in PayPal services then you will need to run the application that we have sent with this e-mail (see attachment) and follow the instructions," the phony message states. "Please do not send your personal information through email, as it will not be as secure."

Profit over Props

While the impersonation aspects of the worm mark a more sophisticated threat, security experts also indicated the MiMail variants represent a trend away from the traditional motivation of reputation and toward monetary enticement through identity theft.

"MiMail reveals a new and dangerous trend -- a migration of motive away from notoriety toward criminal gain," Dunham said. "Identity theft is a growing problem with the market for stolen credit cards emerging worldwide."

Sunner said the current trend in identity theft scams is to introduce ever more complex computer code that is designed to capture individuals' credit-card number, PIN, expiry date and even the three-digit security code information on the back of most credit cards.

Demand Trumps Deterrence

Dunham said the latest MiMail variant, which spreads by e-mailing copies of itself to e-mail addresses harvested from infected computers, continues a trend of "carefully planned, sequential attacks" that break from the tradition of copycat or script-kiddie viruses.

"When we talk about sequential, planned attacks on banking and identity theft, we're talking about how the market is now growing for that information," he said.

Dunham reported that four hard-coded e-mail addresses used to siphon credit-card information via the latest MiMail variant came from the Czech Republic and Moscow, Russia. He also said a recent bounty on virus writers issued by Microsoft (Nasdaq: MSFT) might help deter lower-level virus writers, but that perpetrators who use malicious code for illegal profits are most likely undeterred by such efforts.

More To Come

Organizations were advised to filter against the MiMail variant file types (.asp.scr or .com.scr) and MIME data associated with the worm, but face a challenge because of the "inherent trust in clicking on links" in such cases, Dunham said.

IDefense found that the last "wave" of MiMail attacks began October 31 and resulted in at least six variants in three days, leading to industry-wide predictions about more variants to come.

"We're going to see more of this masquerade attack because there's a market for it and because of the variety of means that are very successful," Dunham predicted. "If it works, we'll see more of it from a broad range of attackers."