I'm asking this question out of curiosity; I haven't fallen victim to this, I'm just interested in what it does.
Today I have received an email from the "Paypal Security Team":
After closely monitoring a number of unusual activities from your account, we decided to limit the access in the account.
Before we can restore your account back to normal, we need to get some information from you.
Please download and open the attachment file from this email. Furthermore, we ask that you complete the form that we have provided.
After doing so, we are then going to review your information and take the necessary steps to remove the limitations. Please understand that Account Limitations are applied to help keep you protected.
We apologize for the inconvenience.
Here are the headers, with the IP of my email server removed because it's actually my own, private server:
From - Sun Sep 25 18:09:24 2016 X-Account-Key: account1 X-UIDL: 1:2267 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <email@example.com> Received: from 18.104.22.168 (22.214.171.124) (HELO hallym.ac.kr) by <myserver> (<myserverip>) with SMTP id c2fb6dfb1b98664f; Sun, 25 Sep 2016 17:59:59 +0200 Received: from 126.96.36.199([188.8.131.52]) by hallym.ac.kr with SMTP id 160926005835170B; Mon, 26 Sep 2016 00:58:35 +0900 From: PayPal Security Team <firstname.lastname@example.org> Subject: Suspicious activity MIME-Version: 1.0 Message-ID: <email@example.com> Content-Type: multipart/mixed; boundary="9bc43cfe03082750b916b2a227e24d86"
The message had a single attachment, an HTML file - this is the "form" mentioned in the message. In actuality, it's some sort of obfuscated JS code; I'm quite curious to find out what it does. It's available here; sorry that I link to an external source, but this is quite long. Presumably the user was supposed to open the file in their browser, which would execute the JS code and do something nasty.
I've tried to report this issue to PayPal, but "the page wasn't found".
What's slightly alarming about this is that I do possess a PayPal account, and that it is registered to the email address this message was sent to.
The interesting thing about the domain is that it seems to be very old:
Updated Date: 07-oct-2015
Creation Date: 01-dec-2003
Expiration Date: 01-dec-2016
I've checked a few
whois databases, with similar results.
What does this do?
Of the several I tried, that was the best because it gave me an actual result. The code takes the very long string - and runs it through the 2 functions which decode it into a new web page. Paste the whole thing into the site listed and you will see the HTML that it produces.
Incidentally, you can do this for yourself too if you are careful by running all but the final line in Node.JS.
It is hard to see what the resulting page actually does, it appears to be trying to look like a genuine Paypal page. I'd need to spend longer looking at it to work it out. I think it safe to assume though that it is nothing good.
You could always try running it in a throw-away VM if you like to find out what it does.
Is this a new attack?
Who knows! And who really cares. These kind of things change a thousand times a day often with small variations to throw off the scent of the anti-virus bloodhounds.
How can I report this to PayPal?
You should find a reporting link on the PayPal site but if that isn't working, I recommend a direct message on Twitter.
How come this was sent to an email address that's actually bundled to a PayPal account? Has there been a leak of some sort? Is this a coincidence?
Coincidence most likely. PayPal certainly had some issues with leaked email addresses some years ago at the start but nothing since as far as I am aware.
If you want to avoid this kind of thing or at least make any issues more obvious, choose an email provider that allows either unlimited mail addresses via a catch-all (less common these days due to spam volumes) or allows you to add a modifier to the address.
For example if your email address is "firstname.lastname@example.org", it would allow (and gmail does indeed allow) "email@example.com" with the "+" sign separating your actual address from the modifier.
Then every time you sign up for something, use a different modifier, you will still see all your email in one place but you will quickly see if one of your addresses has been compromised and can then filter it out.
External links referenced by this document: