Sponsored by..

Wednesday, 4 September 2013

HSBC spam / Original Copy (Edited).zip

This fake HSBC spam links to a malicious ZIP file:

Date:      Wed, 4 Sep 2013 01:45:17 -0700 [04:45:17 EDT]
From:      HSBC Wire Advising service [wireservice@hsbc.com.hk]
Reply-To:      hsbcadviceref@mail.com
Subject:      HSBC Payment Advice Ref: [H6789000] / ACH Credits / Customer Ref: [PO780090] (Edited)

Dear Sir/Madam,

The attached payment advice is issued at the request of our customer. The advice is for your reference only.

Kindly Accept Our apology On the copy we sent earlier.

1 attachments (total 586 KB)
View slide show (1)
Download all as zip

Yours faithfully,
Global Payments and Cash Management

Copyright © HSBC Group 2013. All rights reserved.Copyright/IP Policy | Terms of Service
NOTICE: We collect personal information on this site. To learn more about how we use your information, see our Privacy Policy.


The link in the email goes to a file sharing site at [donotclick]ge.tt/api/1/files/1AFpS3r/0/blob?download and then downloads a file Original Copy (Edited).zip which contains a malicious executable Original Copy (Edited).scr (actually a renamed .EXE file, not a screensaver). The VirusTotal detection rate is 14/16.

The malware uses various techniques to prevent being analysed in a sandbox, but the ThreatExpert report shows some network activity including a suspect connection to ftp.advice.yzi.me (, Hostinger International US) which might be worth blocking.

No comments: