The compromised websites hosting CTB-Locker ransomware are also being used for PayPal phishing.
The compromised websites hosting CTB-Locker ransomware are also being used for PayPal phishing.

Researchers with Trend Micro are seeing upgraded CTB-Locker ransomware being delivered in fake Google Chrome and Facebook emails as part of an attack that is also tied to a PayPal phishing campaign.

Recipients of the phony Google Chrome email are told that they should upgrade their browser because it is out-of-date and potentially vulnerable, according to a Thursday post by Michael Marcos, threat response engineer with Trend Micro.

Clicking on the link in the email will direct users to a website hosting a new variant of CTB-Locker, Marcos wrote, explaining that the ransomware uses a Google Chrome icon as a way of fooling people into thinking it is an installer package.

CTB-Locker is also being delivered to individuals via an email purporting to come from Facebook. The email states that the recipient's social media account has been temporarily disabled until they read the new terms and policies, which can be found by clicking a link. Clicking it results in a variant of the ransomware being downloaded, which disguises itself as a PDF file.

In both instances, CTB-Locker is being hosted on compromised websites that are linked to one IP address, Marcos wrote. He then goes on to explain how further research revealed that the URLs are also associated with a PayPal phishing campaign.

“The connection between these two attacks is that they are both using some of the same servers for their attacks,” Christopher Budd, global threat communications manager with Trend Micro, told SCMagazine.com in a Thursday email correspondence. “This can indicate the same threat actors are behind both sets of attacks.”

In the PayPal phishing campaign, users receive an email indicating unusual activity on their PayPal account, and that they should click a link to resolve the issue. The link directs recipients to a PayPal phishing website that asks for their credentials – as well as payment card information and other sensitive data – before directing them back to the legitimate PayPal login page.

Budd said the PayPal phishing website is hosted on the same compromised websites that are hosting the CTB-Locker ransomware.

Marcos indicated in the post that the biggest change to these latest variants of CTB-Locker is a ransom message that can be viewed in three new languages: French, Spanish and Latvian. Previous iterations of the ransomware supported English, Italian, German and Dutch, so now victims have seven options.

The top countries being affected in these latest CTB-Locker attacks are Italy, France, India, and the United States, but Mexico, South Africa, Spain Turkey, Russia and Chile are affected as well, Marcos noted in the post.

UPDATE: In a statement emailed to SCMagazine.com on Friday, a PayPal spokesperson said, “We take our customers' security very seriously at PayPal and have a dedicated team of experts that works 24/7 to protect our customers from phishing. Through our industry collaboration on DMARC, we help prevent nearly 15 million fraudulent emails from ever reaching our customers' inboxes each month. PayPal also works with industry partners to quickly take down fake web sites to help reduce the number of potential phishing victims. For those PayPal customers where a phishing attempt is successful, we have sophisticated technologies and algorithms that detect and prevent fraud before it even happens. If you think you've received a suspicious email, please report it to spoof@paypal.com.”