Date: Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From: Fiserv Secure Notification [firstname.lastname@example.org]
Subject: Fiserv Secure Email Notification - IZCO4O4VUHV83W1
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - Iu1JsoKaQ
To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
- The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to email@example.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.840.0668.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).
At the moment the VirusTotal detection rate is a so-so 16/47. The ThreatTrack analysis identifies some locations that the malware phones home to:
For the records, those IPs belong to:
18.104.22.168 (ThePlanet, US)
22.214.171.124 (Hanaro Telecom, Korea)
126.96.36.199 (Telmex, Colombia)
188.8.131.52 (Ouverture Service, Italy)
184.108.40.206 (Register.com, US)