Sponsored by..

Tuesday, 29 October 2013

Wells Fargo "Check copy" spam / Copy_10292013.zip

These fake Wells Fargo spam messages have a malicious attachment:

Date:      Tue, 29 Oct 2013 22:34:50 +0800 [10:34:50 EDT]
From:      Wells Fargo [Emilio.Hendrix@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Emilio Hendrix
Wells Fargo Check Processing Services
817-576-4067 office
817-192-2390 cell Emilio.Hendrix@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.

--------------------

Date:      Tue, 29 Oct 2013 14:41:46 +0000 [10:41:46 EDT]
From:      Wells Fargo [Leroy.Dale@wellsfargo.com]
Subject:      FW: Check copy

We had problems processing your latest check, attached is a image copy.

Leroy Dale
Wells Fargo Check Processing Services
817-480-3826 office
817-710-4624 cell Leroy.Dale@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you. 
Attached is an executable file Copy_10292013.zip which contains an executable file Copy_10292013.exe which is (of course) malicious. Note that the date is encoded into the filenames, so future versions of this will vary.

The VirusTotal detection rate is just 3/47. Automated analysis [1] [2] shows an attempted connection to allisontravels.com on 69.26.171.181 (Xeex Communications, US) which appears to be the only site currently on this server. I would recommend blocking one or both of these.

gg

3 comments:

MannyQ said...

Got this one too this morning.

Attached: Image_10292013.zip 12kb

We had problems processing your latest check, attached is a image copy.

Enrique Goodwin
Wells Fargo Check Processing Services
817-335-3990 office
817-782-2864 cell
Enrique.Goodwin@wellsfargo.com

Wells Fargo Check Processing Services. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Philip said...

Got one a few minutes ago. Almost fooled by it. Thanks for posting this warning!

Jay Wright said...

I opened it. How do I seek and destroy?