Score another one for the bad guys, who have yet again demonstrated their seemingly inexhaustible ability to concoct new methods to exploit legitimate services in order to bypass existing anti-malware defenses and spam traps.
Proofpoint researchers report in a special security advisory that malicious actors are delivering the Chthonic banking trojan (itself a variant of the infamous Zeus trojan) through the Paypal "money request" feature.
Using legitimate (and undoubtedly compromised) Paypal accounts, the bad guys are sending potential victims bogus phishing requests for money through Paypal. In addition to losing a few hundred bucks to imposters, potential victims may also fall victim to the Chthonic banking trojan if they click the embedded link in the email.
So, how did it come to this? Paypal allows users of the "money request" feature/service to include a personalized message. And that enables the bad guys to push malicious links that lead to Chthonic on unsuspecting users. In the example offered by Proofpoint, the malicious link takes the form of a goo.gl shortener link, which then redirects to a malicious domain controlled by the bad guys.
If there is any good news to be had from this situation, it's that this malware campaign appears to be very low volume. In other words, the bad guys haven't yet figured out how to automate this campaign. Also, the embedded malicious link is not being hidden behind a Paypal redirect URL, which would make the bait appear even more legitimate than it already does.
Nonetheless, it's worth reminding users and employees that they should always be on their toes, even when dealing with emails that give every appearance of coming from legitimate, trusted sources.
If you're wondering how many people in your organization are susceptible to phishing, here is a free test: