The worm uses a combination of techniques to trick users into disclosing their credit card details and spread itself. The first stage is brand spoofing – the email appears to have been sent from PayPal and requests that users update their account details by filling in a pop-up dialogue box, which appears to be an external web site.

This attachment also spoofs PayPal’s brand and logo, and requests the user’s credit card number, PIN and expiry date, as well as the three-digit credit card security code. As well as attempting to harvest this security information, the Mimail-I worm also copies itself to a file in the Windows folder to run automatically on startup and sends itself to every email address that appears on the infected hard disk.

Anti-virus firm Sophos Plc has warned users to be on the lookout for the worm and noted that due to the nature of the attachment it could be blocked by ant-virus software that blocks files with more than one extension at the email gateway.

As a worm, Mimail-I differs from recent scam emails targeting major banks that have encouraged users to enter their bank details into spoof web sites – a practice that has become known as phishing and has been linked with organized crime.

While it is easier to block than other email scams, which use URL masking techniques rather than attachments and do not self-replicate, Mimail-I does indicate that phishing scams are moving beyond traditional banks.

Indeed, phishing may spread beyond the banks and service providers to potentially any on-line retail business.

This article was based on material originally published by ComputerWire.