The slickly designed web page offers users a 3-5% return on PayPal transactions if they download an official PayPal browser extension. Users who click the download button will receive a file named “cashback.exe.” Running this executable will infect the user’s system with the ransomware.
Nemty ransomware has been around for a while, but it began attracting attention last month. It was recently observed spreading via the RIG exploit kit, and it may have been going after exposed RDP connections. The PayPal phishing site suggests that Nemty’s operators are interested in using multiple channels of distribution.
Ransomware is a very profitable criminal enterprise and attackers have high incentive to improve their tactics. We need hardly mention how widely used PayPal is, both for personal and business transactions. Social engineering is the most reliable and effective way to get malware onto your network.
New-school security awareness training can help your employees defend themselves against these attacks and keep your organization safe. BleepingComputer has the story: https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/