Sponsored by..

Wednesday, 10 September 2014

Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com] invoice spam has a malicious attachment

Geir Myklebust is a real employee for DHL in Norway, but neither he nor DHL are responsible for this spam run in any way (their systems have NOT been breached either). Instead, it contains a malicious attachment and it should simple be deleted.

From:     Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date:     10 September 2014 10:35
Subject:     FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid


Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:        + 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             + 47 90 78 52 44




Dear Sir.

The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.

Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust

Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events

Messeveien 14
2004 Lillestrøm


Postboks 154 Leirdal
NO-1009 OSLO
NORWAY

Direct line:       
+ 47 90 95 58 26
Fax:                  + 47 64 00 71 87
Mobile:             +
47 90 78 52 44

Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.

The Comodo CAMAS report  shows an attempted connection to voladora.com/Imagenes/qaws.cab  which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.

UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.

20 comments:

Jan said...

Started hitting our edge about two hours ago and continues.

Every single one is from the same sender (geir myklebust)

Joe Job?

Conrad Longmore said...

@Jan, it is very similar in structure to this spam run yesterday. *That* looked like it was copied from a genuine email, and there are components in this that look like they have been copied-and-pasted too. So, I don't think it is a deliberate Joe Job as such, rather they have copied a genuine email to make it look more authentics.

madaboutpixels said...

how dare anyone say that their systems have not been breached. Of course they have been breached for Christ sake!!!!

madaboutpixels said...

bloody ridiculous

Conrad Longmore said...

@madaboutpixels - DHL's systems have not been breached. It is just a very good forgery, spammed out to random addresses (mostly who will not be DHL customers).

madaboutpixels said...

@Conrad Longmore DHL's systems have been breached. THe email address is not a clone, the email account has been accessed. The address is not masked/cloned

Conrad Longmore said...

@madaboutpixels, if you check the mail headers then you can see that they do not originate from DHL, but instead from some random compromised PC.

Faking the "From" address in an email is trivially easy, the real origin is in those mail headers.

I suspect that the mail was originally copied from a hacked mailbox and was then turned into a template for the spam, most likely a DHL customers (because there are so many of them).

The addresses the spam was sent "To" are random. I received several on all sorts of odd email addresses, certainly ones that DHL would not have in their customer records.

Conrad Longmore said...

@madaboutpixels, I made a post about how easy it is to forge emails a while ago here.

eNobody said...

Had 2 seperate emails from this "Geir Myklebust" today.
Both had zipped attachments and were obviously infected.
"invoice_0000935.zip (215 KB)" and "invoice_4561880.zip (42 KB).

Altermax777 said...

I believed it almost because I actually got a DHL invoice last month

Jan said...

@Conrad Longmore makes sense. Still I expect that Geir is feeling a bit abused by now :-(

Conrad Longmore said...

@Jan, I think his mailbox has probably melted down by now!

Nolsey Davis said...

Yep I got this email just after 1AM here in australia

HyoNi Kim said...

(Sorry to Bad English)

I got two similiar mail
(maybe) this 4690086 - invoice 0257241,
and
(surely, because i copy them to use search) 05201 - invoice 4348828

at (maybe) 8 hours
and
(surely) 4 hours ago..

and I receive other spam mail at several week too, that's "Morupule Coal Mine".
I don't know why that spam's are sended to me.

Ashley Meah said...

I got this email, the attachment was "noname" with no extension and zero bytes. Must of been caught by something along the way, i use Google Apps, MX records setup on my own cPanel server @ byte32.com

Conrad Longmore said...

@Ashley: Google seems to be blocking the payload by creating a "noname" attachment. If you look click "Show Original" from the drop-down options, you might well see the Base 64 encoded attachment in the section beginning..

Content-Transfer-Encoding: base64

..if you extract that text and run it through a Base 64 decoder you will get the malicious ZIP file. That's the kind of thing you will ONLY ever need to do if you want to collect a sample for analysis though.

Travis McLaughlin said...

What?!?! Fake?!?! I just paid the invoice by credit card....$382.49 down the drain. Will my package still get delivered or was that all fake too??

Marius Ilie said...

Guys, please see the below from DHL:

http://www.dhl.co.uk/en/legal/fraud_awareness.html#report_fraud

Action Fraud provide a central point of contact for information about fraud and financially motivated internet crime. You can report your fraud experience onlineExternal Link / New Window or by calling 0300 123 2040. Lines are open Monday to Friday 08:00 – 21:00, Saturday and Sunday 09:00 – 17:00.

Laura Atchinson said...
This comment has been removed by the author.
Laura Atchinson said...

I received this email too. I opened it but did not open the attachment. Am I safe? Unsure of all this stuff lol