A few weeks ago I posted an entryabout how malicious software was using stolen personal information tosend spam which made users believe in its authenticity. Recently, we'veacquired another email claiming to come from an employer who has founda resume matching an open position in their company. Again, looking atthe job profile it seems very lucrative with slim to no work involved.
The position is that of a PayPal Account Manager. The only realrequisite for this job is the possession of a valid PayPal account witha verified bank account. The position description even mentions thatpersonal data such as one’s Social Security number and passwords arenot going to be asked for.
Pseudo PayPal Account Manager opening (click image for larger view)
As some of you may have guessed, the malware authors are seeking money mules for their illegal activities.
We followed the link in the job description (in a secure computingenvironment) and were led to a form which asked for basic informationsuch as name, address, etc. It did, specifically, ask for theapplicant's email address that was associated to his or her PayPalaccount. No password was demanded. Strange? A few hours after yousubmit the form, you receive an email claiming to come from PayPal.This is clearly a phishing email and requires you to follow a linkprovided in the mail to validate your account with PayPal. Once youvisit the site, hosted in San Salvador, you're required to log-in withyour PayPal account information, following which, your credit cardinformation is requested in the name of 'validation'. As one wouldexpect, once you put your credit card information into the form andsubmit it, the information has now been made available to folks in someother part of this world.
Mock PayPal verification screen (click image for larger view)
The website for the alleged employer says that their company assistspeople in countries without access to PayPal. The site contains a'Documents' section which linked to an agreement between employees andtheir company. I looked into the agreement and it didn't say anythingmuch apart from what was already on the site. It did, however, containthe address of the company.
I looked up the address on my favorite search engine and I saw atleast four unique companies leading to the exactly same designed site.Everything up to the typo shown below was mirrored across the differentcompany sites. They also led to the same agreement document under theirsites. The only difference in the document was the physical address onpage one. Even though the address on all these companies is the same,the sites are registered under users from US, Russia and San Salvador.
“Lern” more about PayPal at a phishing site
We're certain that these sites were registered using phony informationand the computers most probably used some form of a proxy beforeregistering the sites. Readers are advised to never visit financial Websites or Web sites containing their personal and private information byfollowing links, as a safe browsing practice.