Sponsored by..

Friday 25 October 2013

"You have received a new debit" Lloyds TSB spam

This fake Lloyds TSB message has a malicious attachment:

Date:      Fri, 25 Oct 2013 13:55:41 +0200 [07:55:41 EDT]
From:      LloydsTSB [noreply@lloydstsb.co.uk]
Subject:      You have received a new debit
Priority:      High Priority 1 (High)

This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.

The details of the payment are attached.

============================================================================
This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments.
Attached is a zip file in the format Report_recipientname.zip which in turn contains a malicious executable Report_10252013.exe (note the date is encoded into the filename). The file has an icon to make it look like a PDF file, but it isn't.

The VirusTotal detection rate is a so-so 13/47. Automated analysis [1] [2] shows an attempted connection to www.baufie.com on 173.203.199.241 (Rackspace, US). Often these callbacks indicate a completely compromised server, so it may be possible that there are other sites being abused on the same box.


1 comment:

Jamie said...

Generally if you report it to rackspace they actually give a crap, which is nice.