Don't give your credit card details to a virus! Sophos warns of new Mimail-I worm

November 14, 2003 Sophos Press Release

The Mimail-I worm tries to fool you into entering your credit card information
The Mimail-I worm tries to fool you into entering your credit card information

Sophos, a world leader in anti-virus and anti-spam protection for businesses, is warning of a new variant of the Mimail worm, which is spreading widely.

The new worm, named W32/Mimail-I, arrives in an email with a subject line of "YOUR PAYPAL.COM ACCOUNT EXPIRES", and asks you to provide detailed information about your credit card, claiming that PayPal "are implementing a new security policy."

The email tells you not to send your personal information through email (ironically, correctly advising you that email is insecure) and instructs you to run the attached program instead.

If you run the program, attached in a file called "www.paypal.com.scr", a dialog box pops up requesting you to enter a range of information about your credit card. This includes your full credit card number, your PIN, the expiry date, and even the so-called CVV code (this is an additional three-digit security code printed on the back of your card which is not recorded by credit card machines during transactions). The dialog includes a PayPal logo in a further attempt to appear legitimate.

"Mimail-I tries to harvest your bank card data and then sends it out to the bad guys in an email," explained Paul Ducklin, head of technology, Asia Pacific, at Sophos. "It even includes a realistic-looking checkbox which you are expected to tick in order to confirm that the details you have entered are correct."

"But the email sent to you by Mimail-I could never be legitimate," Ducklin points out. "Banks and credit card companies never request information of this sort via email, just as computer security companies never send out patches this way. Email is simply not secure enough for transactions of this type."

As well as stealing bank information, Mimail-I sends itself to everybody whose email addresses appear on the user's hard disk. This is likely to generate a lot more email traffic than computer users may have bargained for.

Sophos offers the following advice:

  • Don't act on web links or attachments sent to you in emails which claim to come from banks or financial companies. The apparent source of an email is too easily forged.
  • Block all Windows programs and files (EXE, DLL, SCR, BAT, PIF, CMD, etc.) at your email gateway if you can. Because of the associated risks, there is almost no business case for distributing programs by email.
  • Filter outbound email with a product such as Sophos PureMessage or Sophos MailMonitor before it leaves your network. This is good "internet citizenship", because it limits the collateral damage you can do to the internet even if you become infected.
  • Update your anti-virus software regularly and frequently so you can identify the latest threats accurately. Using a product (such as Sophos Enterprise Manager) which can automate updates takes the stress and uncertainty out of the process.