Another variant of the MiMail worm that last appeared late October broke out on Friday disguised as a message from online payment vendor PayPal. It tries to fool users into disclosing credit-card information.
Dubbed MiMail.I by most security vendors and MiMail.H by Symantec, the worm masquerades as an e-mail from PayPal, an e-payment system often used on online auction sites such as eBay.
The bogus PayPal message has 'Your PayPal.com account expires' in the subject line, then asks the recipient to enter the credit-card number associated with his or her PayPal account.
'If you do not update your information with our secure application within the next five business days then we will be forced to deactivate your account and you will not be able to use your PayPal account any longer,' the message reads.
A pop-up window then appears on the user's screen, showing a form with fields for entering the credit-card number, the card's PIN and the card's three-digit security code.
If users enter credit card data, the MiMail worm transmits it as a file to one of four e-mail addresses hard-coded in the worm.
Two addresses are hosted in Moscow, Russia, and two in the Czech Republic. According to Craig Schmugar, a virus research engineer with Network Associates, those addresses are being closed.
Other security technicians noted that MiMail, which most recently bombarded e-mail users with worms tucked into compressed .zip files--a file type that many organisations and users assume is safe--is one of the more aggressive attacks of the year.
MiMail.I underscores a trend in which hackers move away from notoriety as their goal to one of criminal gain.
'This is an increasing trend and an alarming one,' said Ken Dunham, an analyst with iDefense, US security-intelligence firm. 'Identity theft is a growing problem, with the market for stolen credit cards emerging worldwide.'
Sobig, which ran rampant from January to August, was another.
An earlier variant of MiMail debuted on October 31 and was quickly followed by five more variants in three days.
'Brace yourself,' said Dunham. 'We'll likely see more variants of this attack in the very near future.'
Anti-virus vendors have scrambled to release updated definition files for MiMail.I and upgraded threat assessments of the new worm.
Network Associates ratcheted up its risk level for MiMail.I from 'low' to 'medium' on November 14 to account for the overnight surge in the worm while Symantec ranked it at '2' in its 1-to-5 scale.
MiMail.I may have already run its course, said Network Associates' Schmugar. 'The traffic has dramatically dropped off since earlier [Friday] morning,' he said.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
