Sponsored by..

Thursday 4 April 2013

"Bill Me Later" spam / PP_BillMeLater_Receipe04032013_4283422.zip

This fake "Bill Me Later" spam comes with a malicious attachment:

Date:      Wed, 3 Apr 2013 21:42:52 +0600 [04/03/13 11:42:52 EDT]
From:      Bill Me Later [notification@billmelater.com]
Subject:      Thank you for scheduling a payment to Bill Me Later



BillMeLater
   
Log in here
       
Your Bill Me Later� statement is now available!

Dear Customer,

Thank you for making a payment online! We've received your
Bill Me Later® payment of $1644.03 and have applied it to your account.

For more details please check attached file : PP_BillMeLater_Receipe04032013_4283422.zip

Here are the details:

Your Bill Me Later Account Number Ending in: 0014

You Paid: $1644.03

Your Payment Date*: 04/03/2013

Your Payment Confirmation Number: 228646660603545001

Don't forget, Bill Me Later is the perfect way to shop when you want more time to pay for the stuff you need. Plus, you can always find great deals and discounts at over 1000 stores. Watch this short, fun video to learn more.

BillMeLater

*NOTE: If your payment date is Saturday, or a holiday, it will take an additional day for the payment to appear on your account. However, you will be credited for the payment as of the payment date.
Log in at PayPal.com to make a payment
Questions:
Do not reply to this email. Please send all messages through the email form on our website. We are unable to respond to account inquiries sent in reply to this email. Bill Me Later is located at 9690 Deereco Rd, Suite 110, Timonium, MD 21093 Copyright 2012 Bill Me Later Inc.

Bill Me Later accounts are issued by WebBank, Salt Lake City Utah

PP10NDPP1


There is an attachment called PP_BillMeLater_Receipe04032013_4283422.zip which contains an executable file PP_BillMeLater_Receipe_04032013.exe (note that the date is encoded into the filename) which currently has a VirusTotal detection rate of just 26/46. The executable is resistant to automated analysis tools but has the following fingerprint:
MD5: c93bd092c1e62e9401275289f25b4003
SHA256: ae5af565c75b334535d7d7c1594846305550723c54bf2ae77290784301b2ac29


Blocking EXE-in-ZIP files at your perimeter is an effective way of dealing with this threat, assuming you have the technology to do it.

No comments: