Sponsored by..

Friday, 19 April 2013

American Express spam / CD0199381.434469398992.zip

This fake American Express spam comes with a malicious attachment:

Date:      Fri, 19 Apr 2013 08:29:52 -0500 [09:29:52 EDT]
From:      "PAYVESUPPORT@AEXP.COM" [PAYVESUPPORT@AEXP.COM]
Subject:      PAYVE - Remit file
Part(s):        2      CD0199381.434469398992.zip      [application/zip]

A payment(s) to your company has been processed through the American Express Payment
Network.
The remittance details for the payment(s) are attached (CD0199381.434469398992.zip).

   -   The remittance file contains invoice information passed by your buyer. Please
contact your buyer
       for additional information not available in the file.

   -   The funds associated with this payment will be deposited into your bank account
according to the
       terms of your American Express merchant agreement and may be combined with other
American Express deposits.
       For additional information about Deposits, Fees, or your American Express merchant
agreement:
       Contact American Express Merchant Services at 1-800-528-8782 Monday to Friday,
8:00 AM to 8:00 PM ET.    -  You can also view PAYVE payment and invoice level details
using My Merchant Account/Online Merchant Services.
      If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount
      or call us at 1-866-220-6634, Monday - Friday between 9:00 AM-7:30 PM ET, and we'll
be glad to help you.
      For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number)
      and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails from
American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https://www.americanexpress.com/messagecenter

******************************************************************************
"This message and any attachments are solely for the intended recipient and may contain
confidential or privileged information. If you are not the intended recipient, any
disclosure, copying, use, or distribution of the information included in this message and
any attachments is prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this message and any
attachments. Thank you."
******************************************************************************
The is an attachment CD0199381.434469398992.zip containing a file CD0199381-04192013.exe [note the date is encoded in the file]. VirusTotal results for that file are just 6/46. ThreatExpert reports that the malware communicates with the following servers:

mail.yaklasim.com (212.58.4.13: Doruknet, Turkey)
autoservicegreeley.com (198.100.45.44: A2 Hosting, US)

This malware shares some characteristics with this attack.

Blocklist:
198.100.45.44
212.58.4.13
aapros.info
aapros.mobi
aapros.net
aapros.org
automaintenancegreeley.com
autorepairevans.com
autorepairgreeley.info
autorepairgreeley.mobi
autorepairgreeley.net
autorepairgreeley.org
autorepairgreeley.us
autoservicegreeley.com
brakesgreeley.com
mail.yaklasim.com


1 comment:

Dan Swett said...

As I was reading this, someone received one of these on our mailserver with a different ip address.

name="CD0199381.413002919399.zip" from host-98-maximt.static.t1.primus.ca[216.254.199.98]; from=