Scammers Using Genuine PayPal Emails to Spread Banking Malware

Another day another PayPal scam — This time, it’s highly sophisticated and comes from a genuine PayPal email address!

PayPal like other financial institutions is a favorite target of scammers, crooks and cyber criminals. Recently there has been an increase in PayPal related phishing scams but now researchers have also identified criminal elements using PayPal’s legitimate emails to spread dangerous Chthonic banking trojan.

The campaign was exposed by researchers at IT security company Proofpoint who found that some unknown cyber criminals are using genuine PayPal emails to not only scam money out of innocent users but also installing banking malware on their devices.

Must Read: Dridex Malware is Back and Targeting Banking Sector in the US

It starts with users receiving an email from [email protected] email address alerting them about a supposed unauthorized transaction of 100$ from a PayPal user and how he wants his money it back. The email comes with subject line “You’ve got a money request,” while its content contains a Google shortener URL ( which user has to click in order to return the “unauthorized transaction.”

Source: ProofPoint

Upon clicking the link a JavaScript file labeled “paypalTransactionDetails.jpeg.js” is downloaded on victim’s device but at the same time it also downloads a flash executable file which when clicked installs Chthonic banking malware, a variant of the Zeus banking Trojan.

ProofPoint further revealed that the command and control (C&C) for this instance is kingstoneviktecom. We at HackRead did some social engineering and found out the domain is owned by someone by the name of Marina Zhelyabina from Russia. However, most important thing about ProofPoint’s research is that the firm has also found an undocumented malware dubbed “AZORult” which is under investigation as previously there was no sign of this malware anywhere whatsoever.

What we don’t know: 

It is unclear how the scammers are sending emails from legit PayPal email addresses. The aforementioned email was sent to a Gmail user and it’s obvious that Gmail phishing filter failed to detect any wrongdoing. It is possible that sender is sending these emails through fake email generator but usually such emails are easily detected by service like Gmail and marked as dangerous.

PayPal users you are always on target so be careful:

PayPal users, keep an extra eye on emails you receive from unknown senders and in the event, you receive such an email, avoid clicking on links inside its comment and NEVER download the attached files. Always login to PayPal’s official app and website as shown in image below:


ProofPoint is the same firm who previously exposed several high-profile phishing and malware Espionage campaigns including Fake Pokemon Go app containing RATOperation C-Major where Pakistani hackers were found spying on Indian military employees, malware infected Bible and Quran appsGreenDispenser” ATM money-stealing malware, phishing emails hackers routers and Outlook users being targeted with phishing scam in Russia.

Must Read: New PayPal Phishing Scam asks you to Confirm New Security Question

We recommend reading more on this PayPal scam on ProofPoint’s website here.

Related Posts