Sponsored by..

Wednesday 23 April 2014

"Broad Oak Toiletries Ltd" fake invoice spam

UPDATE 2014-05-06:  there is a new version of this with a malicious .PDF attachment, please scroll down for more details.

This spam purports to be from a legitimate company called Broad Oak Toiletries Ltd, but in fact it is a fake with a malicious payload and it does not come from Broad Oak Toiletries at all (some other reports say their email has been hacked, it has not.. this is a forgery)

Date:      Wed, 23 Apr 2014 08:13:19 +0000 [04:13:19 EDT]
From:      Sue Mockridge [smockridges2@Broad-oak.co.uk]
Subject:      Invoice 739545

Hello,

Please can you let me have a payment date for the attached March Invoice?

Kind Regards

Sue Mockridge
Accounts Administrator

' (Main) 01884 242626  ' (Direct Dial) 01884 250764

Please consider the environment before printing

Broad Oak Toiletries Ltd, Tiverton, Tiverton Way, Tiverton Business Park, Tiverton, Devon, EX16 6TG
Registered No. 1971053 England & Wales
Telephone: +44 (0) 1884 242626
Facsimile: +44 (0) 1884 242602


CONFIDENTIALITY:
The information in this email and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). The unauthorised copying, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information is prohibited. Unless explicitly stated otherwise, the contents of this message are strictly subject to contract; any views expressed may be personal and shall not create a binding legal contract or other commitment on the part of Broad Oak Toiletries Ltd.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
The attachment is Invoice 493234 March 2014.zip which in turn contains a malicious executable Invoice 288910 March 2014.exe which has a VirusTotal detection rate of just 2/51.

Automated analysis tools [1] [2] show attempted connections to the following URLs:
72.34.47.163/11
91.99.102.154/11
yourmedialinkonline.com/11
dframirez.com/11
duvarikapla.com/11
duvallet.eu/11
24hr-ro.com/11
edwardalba.com/11
ekodin.rs/11
exorcist.go.ro/11
kuikencareercoaching.nl/11
sic-choppers.goracer.de/11
chriswolf.be/11
colorcopysite.com/11
mashhadsir.com/11
akirkpatrick.com/11
www.amelias-decoration.nl/11
netvietpro.com/11
guaempresas.com/11
hayatreklam.net/11
acenber.sbkml.k12.tr/11
how-hayonwye.com/11
iconservices.biz/11
idede.sbkml.k12.tr/11
www.tcrwharen.homepage.t-online.de/11
ec2-107-20-241-193.compute-1.amazonaws.com/11
www.derileq.com.mx/11
iaimrich.com/11
joyscenter.com/11
josip-stadler.org/11
www.kalkantzakos.com/11
files.karamellasa.gr/11
krptb.org.tr/11
legraff.com.tr/11
jieyi.com.ar/11
m.pcdbd.info/11
maestroevent.com/11
www2.makefur.co.jp/11
marcin_dybek.fm.interia.pl/11
marzenamaks.eu.interia.pl/11
mehmetunal.ztml.k12.tr/11
job.yesyo.com/11
mofilms.com/11
multimarge.ph/11
nbd.xon.pl/11
netset.ir/11
allforlove.de/11
ncapkur.sbkml.k12.tr/11
neumandina.com/11
209.217.235.25/~nanakram/11
home.planet.nl/~monst021/11
masterdiskeurope.com/~mooch/11
members.aon.at/~mredsche/11

Recommended blocklist:
72.34.47.163
91.99.102.154
yourmedialinkonline.com
dframirez.com
duvarikapla.com
duvallet.eu
24hr-ro.com
edwardalba.com
ekodin.rs
exorcist.go.ro
kuikencareercoaching.nl
sic-choppers.goracer.de
chriswolf.be
colorcopysite.com
mashhadsir.com
akirkpatrick.com
www.amelias-decoration.nl
netvietpro.com
guaempresas.com
hayatreklam.net
acenber.sbkml.k12.tr
how-hayonwye.com
iconservices.biz
idede.sbkml.k12.tr
www.tcrwharen.homepage.t-online.de
ec2-107-20-241-193.compute-1.amazonaws.com
www.derileq.com.mx
iaimrich.com
joyscenter.com
josip-stadler.org
www.kalkantzakos.com
files.karamellasa.gr
krptb.org.tr
legraff.com.tr
jieyi.com.ar
m.pcdbd.info
maestroevent.com
www2.makefur.co.jp
marcin_dybek.fm.interia.pl
marzenamaks.eu.interia.pl
mehmetunal.ztml.k12.tr
job.yesyo.com
mofilms.com
multimarge.ph
nbd.xon.pl
netset.ir
allforlove.de
ncapkur.sbkml.k12.tr
neumandina.com

UPDATE 2014-05-06:
A new version of this is circulating with a malicious .PDF attachment April invoice 914254.pdf although this time the body text is "Please can you let me have a payment date for the attached April Invoice?" and subject is "Invoice 396038 April". Email addresses spotted so far include

The VirusTotal detection rate for this is 7/51. Automated analysis is somewhat inconclusive. There are some indications that this might be using an Acrobat flaw CVE-2010-0188 which was patched a long time ago, so if have an up-to-date version of Acrobat Reader you may be protected. Also, if you opened the email in Gmail and used Google's PDF viewer you should be OK too.

Remember though that .PDF files and other document types can also spread malware, so exercise caution when dealing with emails from unknown sources.

UPDATE 2014-05-06 II:
A contact analysed the PDF (thanks) and determined that it then downloaded an executable from [donotclick]dr-gottlob-institut.de/11.exe (I guess "11" is a Spinal Tap reference) which has a VirusTotal detection rate of just 4/51.

Automated analysis tools [1] [2] [3] show that this in turn downloads components from the following locations:

pgalvaoteles.pt/111
axisbuild.com/111
sadiqtv.com/111
hostaldubai.com/111
nbook.far.ru/111
relimar.com/111
webbook.pluto.ro/111
bugs.trei.ro/111
gaunigeria.com/111
rubendiaz.net/111
adventiaingenieria.es/111
assurances-immobilier.com/111
markus.net.pl/111
www.mrpeter.it/111
inmobiliariarobinson.com/111
cigelecgeneration.com/111
hbeab.com/111
lefos.net/111
pk-100331.fdlserver.de/111
decota.es/111
krasienin.cba.pl/111
rallyeair.com/111
camnosa.com/111
caclclo.web.fc2.com/111
beautysafari.com/111
www.delytseboer.com/111
atelierprincesse.web.fc2.com/111
czarni.i15.eu/111
gogetgorgeous.com/111

This is very similar to the previous infection, although this time "11" has been dialed up to "111". This file (111.exe) has a VirusTotal detection rate of only 2/52 which does various bad things [1] [2] [3].

Because detection rates are still low, you might want to consider blocking the following domains:
dr-gottlob-institut.de
pgalvaoteles.pt
axisbuild.com
sadiqtv.com
hostaldubai.com
nbook.far.ru
relimar.com
webbook.pluto.ro
bugs.trei.ro
gaunigeria.com
rubendiaz.net
adventiaingenieria.es
assurances-immobilier.com
markus.net.pl
www.mrpeter.it
inmobiliariarobinson.com
cigelecgeneration.com
hbeab.com
lefos.net
pk-100331.fdlserver.de
decota.es
krasienin.cba.pl
rallyeair.com
camnosa.com
caclclo.web.fc2.com
beautysafari.com
www.delytseboer.com
atelierprincesse.web.fc2.com
czarni.i15.eu
gogetgorgeous.com

UPDATE 2014-05-06 III: 
Another downloaded file is:
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe

This has a VirusTotal detection rate of just 1/51 which makes it almost invisible. Automated analysis [1] [2] [3] [4] shows that it creates fake svchost.exe and csrss.exe, and sends a DNS query for smtp.gmail.com among other things.

Payload appears to be Gameover / P2P Zeus.

(btw, thanks to the #MalwareMustDie team for help!)

UPDATE 2014-05-12:
Another spam run is in progress, with yet another malicious PDF attachment, this time with a VirusTotal detection rate of  8/50.

The PDF downloads a file from:
[donotclick]infodream.eu/images/1.exe
..which has a VirusTotal detection rate of just 3/52. The Malwr analysis shows an attempted download from:

[donotclick]www.freshanswer.com/b70.exe
[donotclick]files.karamellasa.gr/tvcs_russia/2.exe
[donotclick]park-laedchen.de/illustrate/offending


Out of these only the first download appears to be working, the binary has a detection rate of 27/52. Automated analysis of this binary [1] [2] [3] shows that it attempts to connect to various legitimate services plus these suspect IPs in Russia:
217.174.105.92
93.171.173.34
91.221.36.184
37.143.15.103
146.255.194.173

Thanks again to the #MalwareMustDie team for assistance!


26 comments:

Bucks Bass said...

I got that today but with no attachment. I did some digging and it looks like they run their web site off a BT ADSL line! Most likely the self hosted site has been compromised......

Bucks Bass said...

I got that today but with no attachment. I did some digging and it looks like they run their web site off a BT ADSL line! Most likely the self hosted site has been compromised......

Richard Harris said...

I've had this twice today. Obviously not opened the attachment! I sent broad-oak an email to notify them... Must be rather annoying for them too.

Conrad Longmore said...

@Richard: they have a note on their website saying that they are away of the issue.

@Bucks: I haven't seen any evidence of a compromise. The email address has been spoofed (really easy to do) and nothing that I can find links back to the site.

Freshwinds IT Admin said...

Indeed, spoofing the sender address is very simple and claiming in the body of the email that it comes from any company is obviously trivial. Scammers do this sort of thing all the time and could do it to any business. Broad Oak are powerless and unwitting victims. It's entirely up to the recipients to recognise it for what it is.

We have received a few of these messages today (never any before). All claiming to be from
smockridges2@Broad-oak.co.uk except one that claims to be from overplayedjf935@gmail.com

I wonder if it's some sort of revenge attack against Broak Oak from some person disgruntled for some reason. Either way, they have my sympathy. They are probably inundated with people complaining at them through no fault of their own.

Unknown said...

Spoofing emails? Faking the email address is actually a feature in away.

Email was NOT designed to be secure both ways. You can send a email to any email address with any data and it will accept it. The only person who can get that info is the server, not the outside world.

Past that, there is no security to make sure the sender is actually the sender.

Bucks Bass said...

My point was, that if they are hosting a web site on the end of a DSL line, they are probably doing it themselves as no professional IT company would do that. It's reasonable to assume that it's probably an amateur job so the web server got compromised and data got stolen giving the hacker a list of email addresses etc. The email I got came from a server in Poland, not from their server on a DSL line.

Unknown said...

West Midlands have reported 5 arrests in relation to computer crimes commited to the litigtiment company Broad Oak Toiletries ltd.

Conrad Longmore said...

@Bucks: hmm... but I don't see it on an ADSL line at all. broadoaktoiletries.com is hosted by Webfusion, broad-oak.co.uk by Onyx. I've never dealt with them, I don't believe that they have been compromised.. but the mail is engineered to make it look like it is from Broad Oak. Certainly someone somewhere may have been hacked though.

@Freshwinds: I've seen quite a lot of similar emails that seem to pick a company at random. In some cases it looks like the email template has been stolen from a hacked email account (but not necessarily the company being spoofed). Most likely the perps are in Russia or Ukraine.

Bucks Bass said...

@Conrad: Look a bit deeper:-

dig www.broadoaktoiletries.com

;; ANSWER SECTION:
www.broadoaktoiletries.com. 14378 IN A 217.36.247.21

The IP address of the web server is 217.36.247.21 and a whois on that returns information that this is part of a range for BT-ADSL

Their *domain* is registered through Webfusion which is not the same thing as web hosting. It does not follow that a registrar hosts the site.

Conrad Longmore said...

@Bucks: you're right, I wasn't looking closely enough :) It does indeed look like a BT ADSL line, although presumably wrangled to give it a static IP address. 2gh.co.uk is on the same box too.

..but as I said the spam is not an indicator that they have been compromised, although it is possible that the email template has been stolen from a hacked computer somewhere.

Interesting, the malware infection it leads to seems to be a new family.

Bucks Bass said...

I see the site is back up and I can now see it's running IIS6 so it's probably server 2003.

By checking through other means I've determined that they are running Server 2003 Enterprise Edition.

An unusual OS to be running a web server on at the end of a DSL line. If you can afford Enterprise, you should be able to stretch to proper connectivity or hosting.

Just a supposition, but if you are doing it on the cheap and don't have skills in Linux, then a Volume License copy of Windows server is easy to come by......

I noticed some other things about this that I won't publish here as it will impact on their already poor setup and security, I'm just saying and not accusing anyone and this is my personal opinion but the whole setup looks very odd/poor/amateur.

If you look a bit deeper you'll find out the name of the company actually hosting this site and a few others....

Alyn Gwyndaf said...

I received one to the email address I'd registered uniquely with Whitechapel Gallery, and have received other spam to that same address, so guessing the source was a security breach at the Whitechapel.

AFAIK spoofing the Broad Oak address is a different issue from harvesting the addresses in the first place.

HR-PAK-IPS ADVOCATES PAKISTAN said...

also got this seems post cad servr mails ....generated email accounts partakes703@gmail.com capella763@yahoo.com and behind site also phpmailer.sourceforge.net

Unknown said...

Ive been getting these for a few weeks now
Lucky they automatically get placed in my spam box
I hope the sender is caught soon before somebody who thinks there real clicks on the zip file attached

Unknown said...

I got it today but the attachment was removed.

Unknown said...

Think I may have opened it, what should I do ? I have run security essentials and found no evidence of malware

PeterinScotland said...

I got it today with a PDF attachment. I put it through Spamcop which identified the email as originating on a server in Taiwan.

I'm trying to find out whether I have infected my computer. I have Malwarebytes, but Virustotal says Malwarebytes doesn't detect the problem with the PDF.

Jim said...

Hi
I too got this email, and stupidly opened the PDF? Adobe Reader program opened and said the file could not be opened. I have run spybot and mcafee and both have not shown any malware. Does this mean i have not been infected or is there a better program to use to check?
Nothing has gone funny on the PC yet?
please help!!

PeterinScotland said...

@Jim: I too attempted to open the file. Some of the messages appear to be fake as I got one referring to an Adobe program even when I used another program to open the PDF.

After 3½ hours I'm just now finished scanning my C drive with the free download of F-Prot - one of half a dozen antivirus programs that report the PDF file in the email as harmful (as found here: https://www.virustotal.com/uk/file/28324b810f079b1e46cce41a7931864094852f6c413741e913a0dbe3a769646d/analysis/ ).

F-Prot has not found anything apart from the PDF itself which I had saved to my hard drive for testing.

Some have suggested that perhaps older versions of Adobe might have been vulnerable.
http://myonlinesecurity.co.uk/invoice-951266-fake-pdf-malware/

It would be interesting to know (in plain English) what the PDF in the current version of this email actually attempts to do. Set off some kind of JavaScript, I think, but to do what, I don't know.

Lesleym said...

They are now also sending out emails as shrewdness6@greywoodinstallations.co.uk

But with Broad Oak Toiletries address at the bottom of the email. I now have them all blocked as junk.

MyColourGlass.co.uk said...

Open the file by mistake and today got my paypal account hacked.. Bastard ordered a Samsung S5...
Also got some kindle on my doorstop this morning with my name but have not ordered it...

Nick

Gert Cher said...

I have been getting these emails for months almost a year on and off. All to an email address I have not used since last September.

I use Mailwasher 6.51 to view and filter all my emails including the address I no longer use, which BTW is for a website design business I sold, so I know without thinking I never buy toiletries through it.

I do not understand in this day and age why anyone gets caught out by this sort of SPAM, especially this one which is so obvious.

Greg

Unknown said...

Hi,

I recieved today and I try to opened but could not opened. Is possible to infected my computer?

Thank you!

Mircea

Conrad Longmore said...

@Olivia: yes, it is possible that you have infected your computer.

You might want to check with the F-Secure online scanner or MalwareBytes. Understand though that these products may to detect all the malware on your system, and you should run the test again in 24 and 48 hours and then again a few days after.

It might be prudent to switch your computer off and leave it for a bit if you think you are infected, that gives a chance for anti-virus vendors to catch up with today's malware.

Rupert Butler said...

My company has received a further example of this malware dated 4 Aug 2014 13:18. The zip attachment is said to be a June invoice number 2447207.

I can forward it to any one who wishes to analyse it.