Email notification regarding your debt at the service BillMeLater contains email threath


MX Lab, http://www.mxlab.eu, is intercepting messages regarding a debt to the Bill Me Later service, a company that is acquired by eBay in 2008 and is now part of Paypal, that contains a security threath. These messages are sent with various subjects like:

Immediately pay off the debt! #id81490
We will file a charge against you. #id80119
You must immediately pay off the debt! #id40754
….

The email is send from the spoofed address “Ebay <customer@ebaybill.com>” and has the following body (a single image email):

The includeed URL will lead you to a host where a malicious payload is present. The file INVOICE_FORM.zip will be downloaded that contains the compressed file INVOICE_FORM.exe.

The trojan is known as Suspect.Trojan.Generic.FD-4, Trojan.Win32.Tobfy!IK, Trojan.Win32.Tobfy or HEUR:Trojan.Win32.Generic.

At the time of writing, 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: bd5e2868987d59cd24ed748cbcc489396eb782ddbf6e207395b0d80c5521b017.

7 thoughts on “Email notification regarding your debt at the service BillMeLater contains email threath

  1. I received such an email last week as you have shown, showing Ebay logo and Billmelater/Paypal.
    I was so pleased to find your website and see the exact copy
    It took a lot of relief from my mind

  2. Hi, I clicked on the link but when prompted for the zip I declined to download it. Any problems with that?

Comments are closed.