Sponsored by..

Friday, 21 June 2013

LexisNexis spam FAIL

This fake LexisNexis spam is meant to have a malicious attachment, but something has gone wrong. Nonetheless, the next time the spammers try it they will probably get it right.. so beware of any emails similar to this one that have an attachment larger than a couple of hundred bytes.

Date:      Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From:      LexisNexis [einvoice.notification@lexisnexis.com]Book
Subject:      Invoice Notification for June 2013   

There was an invoice issued to your company: [redacted]

Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.

    Account Number     455SAZ    
    Invoice Number     904510653899    
    Invoice Date     June 21, 2013    
    Invoice Amount     $3.508.00    
    Account Balance     $0.00    

You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.

You can also print this e-mail and send your payment to:
    PO BOX 7247-7090    
    Philadelphia, PA 19170-7090    

If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.

If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.

Please add this domain @email.lexisnexismail.com to your safe senders list.

Adobe Acrobat free downloadable file available at :

In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..

Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.


Heather McCalley said...

Hi, conrad--the Malcovery Security T3 report today examines this malware. 20% of the samples we got were 102kb. Here are the VT stats:

LexisNexis_Invoice_06212013.zip (103,445 bytes)
MD5: 12ec37f0bf80881eb168b42b1388e2cb
VirusTotal: 12 / 47 (McAfee - BackDoor-FJW)

Fergie said...

I haven't received a T3 report since 17 June?

- ferg

Tracie Morris said...

On Friday, June 21, 2013, a large number of LexisNexis® customers and other organizations received fraudulent e-mails claiming to be from LexisNexis and containing what appear to be invoices. These e-mails and the invoices are not legitimate and originate from outside our systems. LexisNexis systems remain secure and unaffected. For more information on the incident go to http://www.lexisnexis.com/media/press-release.aspx?id=1371846110655006

Richard said...

You may want to update your post. It is not harmless. A zbot trojan is loaded onto your computer. It is easily cleaned with Malware Bytes Anti-Malware.


Conrad Longmore said...

@Richard - I think you're seeing ones with the payload intact, these ones are truncated. There's another run coming in today with a BBB theme. I'll review the post a little to make it clear that this type of spam USUALLY leads to malware..