New Virus Appears as PayPal Scam

If you get an e-mail message warning you that your PayPal account is about to expire, don't open it. If you open it, don't double-click the attachment. If you double-click the attachment, don't complete the form asking for your credit card information. And if you do fill in the form, call your credit card company immediately.

And don't blame PayPal. The problem is an e-mail virus, Mimail.I, first spotted on November 13. Most viruses are sick jokes; this one's out to steal your money.

How It Works

Mimail (pronounced "my mail") arrives in an e-mail that appears to be from PayPal. In very convincing language, it states that your account will expire soon unless you resubmit your credit card information. "We apologize for any inconvenience that this may cause," the text politely reads.

The letter even appears concerned about your privacy: "Please do not send your personal information through e-mail, as it will not be as secure." Instead, it asks that you run the attached program. That's where you enter your valuable information, which it then sends to four different e-mail addresses.

It also scours your hard drive for new e-mail addresses to send the same bogus message. These messages, like the one you got, are "spoofed" to appear as if they came from PayPal.

"It appears to be another step in the advancement of spam," says David E. Sorkin, an associate professor with the Center for Information Technology and Privacy Law, at John Marshall Law School. "A few months ago there was talk about spammers using viruses to send spam. Now they're using them for fraud."

Bryson Gordon, senior product manager for McAfee's Security Consumer Division, finds this "far more sophisticated in social engineering [than previous worms] ... We're starting to see marked change in the battle with viruses: a worm for profit."

Slow-Moving Pest

Luckily Mimail hasn't spread very far--at least not yet.

"It's not a major event. We're seeing less than a hundred infections overall," says Vincent Weafer, a senior director at antivirus vendor Symantec Security Response.

As Weafer notes, that can change. "103259 Klez sat around for about a week and then shot up," he says. But he doubts this one will spread like Klez. Mimail is a "relatively easy one to explain. You can say 'If you see this, delete it.'"

But justice is not likely to be served. According to Weafer, the culprits will get caught "Only if they're stupid." The logical trail to follow, of course, is the four e-mail addresses embedded in the code, but it's possible to set up anonymous e-mail accounts without identifying yourself, or set up an account with a stolen credit card.

What to Do

One thing is for certain: We'll see this sort of trick again, so it pays to take precautions.

Be suspicious of any e-mail that asks for personal information, security experts advise.

PayPal promises it "will never ask for your password or account information in an e-mail," and most other companies on the Internet do likewise. If an e-mail message contains a link to a form, examine the URL closely--it could be just one letter away from the correct domain name.

Report suspicious e-mail to the company that is allegedly its source. PayPal has an e-mail address,, for just this purpose.

And, of course, keep your antivirus applications and definitions up to date. Users of Symantec's Norton AntiVirus products, as well as security programs from BitDefender and Network Associates, were able to download the appropriate protection by last Friday morning. In addition, both BitDefender and Network Associates offer free Mimail fixes on their Web sites.

Subscribe to the Best of PCWorld Newsletter