Sponsored by..

Wednesday 30 September 2015

Malware spam: "FW : Incoming SWIFT" / "Clyde Medina" [Clyde.Medina@swift.com]

This fake banking email comes with a malicious attachment:

From     "Clyde Medina" [Clyde.Medina@swift.com]
Date     Wed, 30 Sep 2015 12:35:56 GMT
Subject     FW : Incoming SWIFT

We have received this documents from your bank regarding an incoming SWIFT transfer.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom
the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of
this message is strictly prohibited. If you received this message in error, please
notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Attached is a file SWIFT_transfer.zip which contains a malicious executable SWIFT_transfer.scr which currently has a detection rate of 2/56.

Automated analysis is pending, although the payload is almost definitely Upatre/Dyre. Please check back later.

UPDATE:
The Hybrid Analysis report shows Upatre/Dyre activity, including the malware phoning home to a familiar IP address of 197.149.90.166 in Nigeria which I recommend you block or monitor.

Tuesday 29 September 2015

Malware spam "Info from SantanderBillpayment.co.uk" / "Santanderbillpayment-noreply@SantanderBillPayment.co.uk"

This fake financial spam comes with a malicious attachment:

From     "Santanderbillpayment-noreply@SantanderBillPayment.co.uk" [Santanderbillpayment-noreply@SantanderBillPayment.co.uk]
Date     Tue, 29 Sep 2015 12:33:56 GMT
Subject     Info from SantanderBillpayment.co.uk

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 29 September 2015 at 09:11:36.

Payment type:          VAT
Customer reference no: 0343884
Card type:            Visa Debit
Amount:                GBP 4,683.00

For more details please check attached payment slip.

Your transaction reference number for this payment is IR0343884.

Please quote this reference number in any future communication regarding this payment.

Yours sincerely,

Banking Operations

This message is intended for the named person above and may be confidential, privileged
or otherwise protected from disclosure. If it has reached you by mistake please contact
the sender on 0300 200 3601 and delete the message immediately.


**PLEASE DO NOT REPLY TO THIS E-MAIL, AS WE WILL NOT BE ABLE TO RESPOND**
Emails aren't always secure, and they may be intercepted or changed after they've
been sent. Santander doesn't accept liability if this happens. If you think someone
may have interfered with this email, please get in touch with the sender another
way.
This message doesn't create or change any contract. Santander doesn't accept responsibility
for damage caused by any viruses contained in this email or its attachments. Emails
may be monitored. If you've received this email by mistake, please let the sender
know at once that it's gone to the wrong person and then destroy it without copying,
using, or telling anyone about its contents.

Santander Corporate Banking is the brand name of Santander UK plc, Abbey National
Treasury Services plc (which also uses the brand name of Santander Global Banking
and Markets) and Santander Asset Finance plc, all (with the exception of Santander
Asset Finance plc) authorised and regulated by the Financial Services Authority,
except in respect of consumer credit products which are regulated by the Office of
Fair Trading. FSA registration numbers: 106054, 146003 and 423530 respectively.
Registered offices: 2 Triton Square, Regent's Place, London NW1 3AN and Carlton Park,
Narborough LE19 0AL. Company numbers: 2294747, 2338548 and 1533123 respectively.

Registered in England. Santander and the flame logo are registered trademarks.
The attachment is named SantanderBillPayment_Slip0343884.zip although I have not been able to get a working copy. The payload is most likely the Upatre/Dyre banking trojan. My sources tell me that the current wave of this is phoning home to 197.149.90.166 in Nigeria which is worth blocking or monitoring.

Thursday 24 September 2015

Evil network: 64.20.51.16/29 (Interserver Inc and Muhammad Naeem Nasir)

This DHL-themed phish got me looking at an IP address range of 64.20.51.16/29 which is a range belonging to Interserver Inc in the US, but which has been reallocated to a customer. But who? Because the WHOIS details for that block are not valid..
%rwhois V-1.5:003fff:00 city.trouble-free.net (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-INTSRV.64.20.32.0/19
network:Auth-Area:64.20.32.0/19
network:Network-Name:INTSRV-64.20.51.16
network:IP-Network:64.20.51.16/29
network:Org-Name:N/A N/A
network:Street-Address:N/A
network:City:N/A
network:State:na
network:Postal-Code:N/A
network:Country-Code:US
network:Created:20150624
network:Updated:20150922
network:Updated-By:abuse@interserver.net
Well, that's quite a sloppy move by Interserver to allow that, but it doesn't mean that the block is evil. However, an analysis of the sites currently and formerly hosted in that range indicate a very high proportion of phishing sites.. in fact, the range is a hotbed of sophisticated fraud sites, many of which seem to be undiscovered.

I combined current reverse IP data from DomainTools and current and historical data from DNSDB and then ran them through an IP lookup and a check against the Google Safe Browsing and SURBL reputations. The results [csv] show a very large number of sites flagged by SURBL in particular, amounting to 47 out of 167 sites (i.e. 28%) that I can identify as being currently hosted in that range.

In addition, a large number of phishing and other malicious sites have been hosted on 64.20.51.16/29 in the past and are now hosted elsewhere.

nswo.co.uk / "La Casa Limpia - a Balaeric Island Villa"


At first glance, some of the remaining sites look legitimate. Consider nswo.co.uk entitled "La Casa Limpia - a Balaeric Island Villa".

It looks utterly legitmate, although it is an odd domain name for a villa in Spain. Let's check those WHOIS details..

    Domain name:
        nswo.co.uk

    Registrant:
        P J Green

    Registrant type:
        UK Sole Trader

    Registrant's address:
        100 Malderen Road
        Islington
        London
        Greater London
        LN23 6AU
        United Kingdom

    Data validation:
        Nominet was able to match the registrant's name and address against a 3rd party data source on 10-Dec-2012
Despite Nominet claiming to verify the address, there is no such road as "Malderen Road" anywhere in the United Kingdom, and the post code of "LN23 6AU" is also completely invalid and exists nowhere in the UK. A bit of investigation shows that the site is almost a complete rip-off of  a legitimate site at palmyramenorca.com.. but with different contact details.

dominioncollege.ca / "Dominion College"


Consider also dominioncollege.ca - a professional looking website billing itself as Dominion College of Canada.


Apparently, Dominion College is the "Highest Ranking Creative Arts University". But there is no such university in Canada, and the domain for this "150 year old" institution was only registered in August 2015.

Domain name:           dominioncollege.ca
Domain status:         registered
Creation date:         2015/08/14
Expiry date:           2016/08/14
Updated date:          2015/08/19
DNSSEC:                Unsigned

Registrar:
    Name:              PublicDomainRegistry.com Inc
    Number:            3059041
The "About Us" page gives another clue.


That is actually Old Dominion University in Virginia, United States. A completely different and wholly legitimate institution.

hkbbr.org / "Hong Kong Business Bureau Registry"

Consider hkbbr.org billing itself as the Hong Kong Business Bureau Registry..

Yet a Google search for that term only returns hardly anything except content from the site itself, indicating that there is no such organisation.


The domain was registered in 2013 to an anonymous registrant. What is the point of this site? Well, it looks like it is a register of legitimate Hong Kong businesses. You can search for business in their online services page..


Well, it looks like a search.. but in fact it just loads results from a page www.hkbbr.org/entity/ which has an open directory.. so you can see that there actually only 43 companies in the database. One or more of which will be fake.

Presumably this forms part of a scam where the victim has to deal with a fake company, and the scammers use this web site to try to convince the victim that they are dealing with a legitimate company.

tricountysalesmexia.com / "Tri County Sales Mexia"


Consider tricountysalesmexia.com, entitled "Tri County Sales Mexia's Premier Pre-Owned Late Model Luxury and Exotic Vehicle Dealer - Mexia | Texas"


We added up the value of the cars listed on this "Tri County Sales" site. There were 218 cars valued at around $13.2 million, or around $60,000 per car.

Their website shows plush offices..


Now, Tri County Sales is a real company and I suspect a reliable vendor of used vehicles. But in reality the company's premises look like this:


Does it look like somewhere that stocks $13 million dollars worth of high-end exotic vehicles? Of course not. Let's take a look at one of the more notable cars on the website.


This is a pretty rare car. But look closely at the partial logo in the top left hand corner of the large photo..


It's the logo of Southlake Motorcars, where the image was stolen from..


Several of the other vehicles also turn up on other sites. You can be assured that although Tri County Sales is a real company, this website does not belong to them and is a scam.

goldwestgroup.com / "Gold West Group"

Consider goldwestgroup.com calling itself "Gold West Group"..


It's a bit vague about where it has mines, but the facility pictured at the top is the Obuasi Gold Mine in Ghana belonging exclusively to AngloGold Ashanti and no-one else.

The site itself mentions a Chile address, and the WHOIS details are consistent.

Registrant Name: Manu DeSouza
Registrant Organization: Gold West Group
Registrant Street: Europa Oficinas
Registrant Street: Guardia Vieja 255
Registrant City: Providencia
Registrant State/Province: Santiago
Registrant Postal Code: 2103
Registrant Country: Chile
Registrant Phone: +56.22997704
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: webmaster@goldwestgroup.com
But AngloGold Ashanti have no operations in Chile. This site is a scam.

edichem.com / "Edible Chemical Inc"

Consider edichem.com describing itself as "Edible Chemical Inc"..



This site is riddle with spelling errors and has some comically bad photo manipulation.

The offices in the picture actually belong to a company called APAG.

Let's have a look at that so-called CEO..


"Birningham University"? Quite a typo. And that photo is of a completely different person called Peter Westenthaler.

This fake company has even gone to the effort of setting up a Facebook page at www.facebook.com/edichem.biz:


cllinternational.com / "Courier Logistics Limited"

Consider cllinternational.com calling itself "Courier Logistics Limited":


In what way is this logo meant to reflect "Courier Logistics Limited"?

It doesn't.. it belongs to the IEEE Robotics and Automation Society.

The purpose of this site appears to be to generate fake courier tracking numbers, so a victim who has ordered a product will assume that it is actually on it's way. The tracking lookup seems to respond to a six-digit tracking code. The fake tracking site is on another IP, 185.24.233.16 in Ireland.


steadyprivateloan.com / "Steady Private Loan"

Most of the fake companies I have found so far have zero internet footprint. This fake finance company has at least attractive a couple of complaints:

Edmond L.
Beware !!! Do not deal with TERRANCE CLARK / CLARK BRIAN of Goldmine Private Loan now with a new name "Steady Private Loan". These are scam artist.
8 months ago

Sharon Todd
I agree. We fell for their Goldmine Loan and now Steady Private Loan owe us $21,195 ...They look fantastic but do not fall for them. We are reporting them to the FBI
7 months ago

Unlike some of the other sites, this is a bit more amateurish and generic.



It claims to be based in Delaware.



The bottom line here is that there is no such corporation as "Steady Private Loan" in Delaware. This site is a scam.

madrewson.net / "Madrewson Consult"

Consider madrewson.net calling itself "Madrewson Consult". This bills itself as some sort of HR consultancy, but you can guarantee that everythig it touches is fake.


There are a bunch of testimonials on the "About Us" page.

These are all attractive, well-photographed people aren't they? And they pop up in so many places. The photo of "Helen Pyzowski" turns up in a bunch of places. "Adam Smith" is a stock image. "Kristin Malie" turns up in a bunch of places. "John L. Skelley" turns up in a bunch of places. The testimonials are fake, as is this so-called company.

mobgifts.net / "Coca Cola Promo"


"Coca Cola" themed prize scams are well known (and documented on the Coca Cola corporate site) but I've never seen anyone go to the effort of creating a fake website to go with it.


There are several photos of people being handed cheques. But what is that cheque exactly?


This is someone winning a prize alright.. but for developing a mobile app, not a lottery. All the other pictures of people getting cheques are similarly bogus. There is no such thing a the Coca Cola Promo free lottery.

braincure-biotech.com / "Braincure Biotech"

Consider this so-called Taiwanese biochemistry firm, "Braincure Biotech" (braincure-biotech.com)


The site looks professional but very generic. But is it genuine? Unfortunately, the Taiwanese companies registry is in Chinese only and is quite difficult to use. So let's just Google it.


There are virtually zero references to this "company" apart from its own website. And by the time you look, probably this blog. A quick check of the body text of the site reveals that it is copied from other genuine biotech sites. This company does not exist, but presumably is there as part of an investment or employment scam.

What else is there?

Trawling through the IP address range shows many fake blogs (set up to promote goodness only knows what), some Bitcoin and make-money-fast sites and a whole load of sites that appear to be suspended. I cannot confirm a single legitimate site in this range.

Who is behind this?

Although the IP address range is owned by Interserver Inc it is allocated to a customer. However, Interserver seems to have displayed poor governance here because it not only has allocated the range to an anonymous registrant, but it has not acted on the extremely high concentration of fraudulent sites.

Looking at the range, I can see several nameservers..

ns3.boldhosts.com
64.20.51.18

ns4.boldhosts.com
64.20.51.19

ns2.paidhoster.com
64.20.51.20

ns1.ok2host.com
64.20.51.21

ns2.ok2host.com
64.20.51.22

ok2host.com has anonymous WHOIS details, but the other two are related:

BOLDHOSTS.COM
Registry Registrant ID:
Registrant Name: Abdul Razzaq
Registrant Organization: Boldhosts
Registrant Street: Street 18 Clifton Block 8  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75500
Registrant Country: PK
Registrant Phone: +92.2135491130
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com


PAIDHOSTER.COM
Registrant Name: Sajid Mahmood
Registrant Organization: GroomHost
Registrant Street: Progressive Center Shahrah e Faisal  
Registrant City: Karachi
Registrant State/Province: Sind(en)
Registrant Postal Code: 75400
Registrant Country: PK
Registrant Phone: +92.215681734
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@boldhosts.com

Although paidhoster.com does not resolve, both boldhosts.com and ok2host.com do and are hosted on adjacent IPs of 76.73.85.141 and 76.73.85.142 respectively, indicating that they might be the same company. Groomhost.com is also mentioned in the WHOIS details above, and that is hosted on 76.73.85.140.

It turns out that there is another IP block of 76.73.85.136/29 hosting a variety of possibly white-label web hosts:

network:Auth-Area:76.73.0.0/17
network:Class-Name:network
network:OrgName:Naeem Nasir
network:OrgID;I:FDC-11211
network:Address:Street number 18 clifton block 8
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:75500
network:Country:PK
network:NetRange:76.73.85.136 - 76.73.85.143
network:CIDR:76.73.85.136/29
network:NetName:FDC-11211-76.73.85.136

The WHOIS details for the IP range don't give a lot of data, but we can also find the same registrant details for the domain sandhost.com:

Registry Registrant ID:
Registrant Name: Muhammad Naeem Nasir
Registrant Organization:
Registrant Street: Street  18  clifton block 8
Registrant City: Karachi
Registrant State/Province: Sindh
Registrant Postal Code: 75500
Registrant Country: Pakistan
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: naeem.nasir@yahoo.com
The AA419 database shows several hits for this email address going back to 2011, so it seems that whoever this Pakistani web host is, they have been tolerating this activity on their network for several years, even if they are just providing hosting services rather than perpetrating fraud.

Conclusion

I really just skimmed the surface with my analysis here, but it is clear that the 64.20.51.16/29 block is being used almost exclusively for fraud. Moreover, the fraud is extremely sophisticated involving things like fake business registries and couriers. It is also clear that the Pakistani web hosts apparently providing these services have been doing so for some time.

Recommended blocklist:
64.20.51.16/29
76.73.85.136/29
185.24.233.16

Wednesday 23 September 2015

Phish: "SHIPMENT LABEL" / "DHL Courier Services [roger@community.mile.org]"

This DHL-themed spam is actually a phishing email:

From:    DHL Courier Services [roger@community.mile.org]
To:   
Date:    23 September 2015 at 11:15
Subject:    SHIPMENT LABEL
Signed by:    community.mile.org

Dear customer,

Your shipment arrived at the post office.Our courier was unable to deliver the shipment to your address.To receive the shipment,please visit the nearestDHL office and take your mailing label with you.

The mailing label is attached in this email.Please print and show at the nearest DHL office to receive the shipment.

Thank you for using DHL services.


Princess Court 11
Wapping Ln,London,
E1W2DA,United Kingdom
Toll Free:+442075532200
Office Hours:9:00am-7:00pm
Attached is a PDF file shipmentt_label.pdf which is not malicious in itself, but contains a hypertext link (as you can see in this Hybrid Analysis report).


If the potential victim clicks "Click here" then they are directed to ow.ly/Sq9to and from there to a phishing page at br1-update.be/wg/lhd.php on 64.20.51.22 (Inetserver Inc, US) which belongs to a netblock 64.20.51.16/29 which also looks highly suspect.


The phishing page itself is a complex script which is Base 64 encoded, then hex encoded (Pastebin here) which is presumably phishing for email accounts. The spam itself appears to have been sent from a compromised webmail account at community.mile.org

For the moment, I would suggest that the entire 64.20.51.16/29 range is malicious and should be blocked.

Malware spam: "Bankline ROI - Password Re-activation Form" / "secure.message@rbs.co.uk"

This fake banking spam does not come from RBS, but is instead a simple forgery with a malicious attachment:

From     "RBS" [secure.message@rbs.co.uk]
Date     Wed, 23 Sep 2015 11:28:48 GMT
Subject     Bankline ROI - Password Re-activation Form

Please find the Re-activation form attached, send one per user ensuring only one
box is selected in section 3.  A signatory on the bank mandate must sign the form.

Fax to 1850 826978 or alternatively you may wish to email the completed document,
by attaching it to an email and sendinsg it to banklineadministration@rbs.co.uk

On receipt of the completed form we will respond to the request within 2 working
hours and communicate this to the user by email.

<>

Please note - The life-span of an activation code is 21 days; after this time, the
activation code will expire and a new one must be ordered. 

Please be aware when choosing a new pin and password for the service, it is important
not to use pin/passwords that you have used before but to use completely different
details.

If you are the sole Standard Administrator may I take this opportunity to suggest
when you are reinstated on the system, to set up another User in a Standard Administrator
role. This will prevent you being locked out completely and allow you to order a
new activation code from within the system and reset your security sooner.

If you require any further assistance then please do not hesitate to contact us on
1850 310269 and one of our associates will be happy to assist you.

Regards
Bankline Product Support

This e-mail message is confidential and for use by the intended recipient only. If
the message is received by anyone other than the intended recipient, please return
the message to the sender by replying to it and then delete the message from your
computer. Internet e-mails are not necessarily secure. Ulster Bank Limited and Ulster
Bank Ireland Limited (\"Bankline Bank Group\")/ Royal Bank of Scotland Group plc
does not accept responsibility for changes made to this message after it was sent.
Ulster Bank Group / Royal Bank of Scotland Group plc may monitor e-mails for business
and operational purposes. By replying to this message you give your consent to our
monitoring of your email communications with us. Whilst all reasonable care has been
taken to avoid the transmission of viruses, it is the responsibility of the recipient
to ensure that the onward transmission, opening or use of this message and any attachments
will not adversely affect its systems or data. No responsibility is accepted by any
member of Ulster Bank Group / Royal Bank of Scotland Group plc in this regard and
the recipient should carry out such virus and other checks as it considers appropriate.

In the sample I saw, the attached file was Bankline_Password_reset_3537684.zip containing a malicious exeucutable Bankline_Password_reset_8569474.scr which has a VirusTotal detection rate of 2/56. The Hybrid Analysis report shows behaviour consistent with Upatre / Dyre and shows that the malware communicates with a known bad IP of 197.149.90.166 (Cobranet, Nigeria) which I definitely recommend blocking or monitoring.

Tuesday 22 September 2015

(More) Domains and businesses associated with Michael Price of BizSummits

Following on from this post, here are some business and domains closely associated with Michael Price of BizSummits, presented without comment for research purposes only.


COO Summit
cooleaders.org

Hiring Spring
hiringspring.com

Exit Partners LLC
exitpartners.net

Exact Leads
exactleads.com

VisitorLeads
visitorleads.com

ListK
listk.com

LoudJob
loudjob.com

Franchisee Funnel
franchiseefunnel.com

Supply Chain Summit
supplychainsummit.org

Hospital Growth Summit
hospitalgrowthsummit.org

CFO Summit
cfosummit.org

Safety Management Summit
safetysummit.org

Project Management Summit
projectmanagementsummit.org

CMO Summit
cmosummit.org

PR Summit
prsummit.org

Corp Summits
corpsummits.com

Quality Management Summit
qualitysummit.org

Corporate Counsel Summit
corporatecounselsummit.org

Executive Summits
execsummits.com

BizSummits
bizsummits.org

Marketing LeadFunnel
marketingleadfunnel.net

Meeting Setters
meetingsetters.com

CEO Ventures
ceoventures.com

HR LeadFunnel
hr-leadfunnel.com

Survey Executives
surveyexecutives.com

iListK
ilistk.com

IT LeadFunnel
itleadfunnel.com

Finance LeadFunnel
financeleadfunnel.com

GoPresent
gopresent.com

AffluentNames.com
affluentnames.com

Documents.me / Nouvou, Inc.
documents.me

AngelPool
angelpool.org

Critical Fit
criticalfit.com

HR Summit
hrsummit.org

Corp Venturing
corpventuring.com

PlugMeIn
plugmein.com

Retargetable
retargetable.com

LeadFunnel
leadfunnel.com

Pathfinder Careers
pathfindercareer.com

The Sales Management Association
salesmgtassoc.org

Executive Angels
executiveangels.net

CareerLeaper
careerleaper.com

Packed Events
packedevents.com

TeamEx
teamex.com

iCirc
icirc.net

HR Management Association
hrmanagementassociation.org

Product Conception Group
productconception.com

Monday 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.

Tainted Network: "kfc.i.illuminationes.com/snitch" and VPS Hosting of Latvia (91.226.32.0/23)

I've been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today, with attacks like this one [URLquery] which sends traffic to:

[donotclick]kfc.i.illuminationes.com/snitch

This is hosted on 91.226.33.54. The exploit is not clear at this point, but some sources say that this is some sort of TDS kit. The URLquery transaction flowchart shows the attack in action.


The injected script sends the keywords and referring site upstream, for example:

[donotcliick]kfc.i.illuminationes.com/snitch?default_keyword=Team%20Tyra%20%7C%20The%20most%20popular%20equestrian%20website%20in%20Sweden%2FEurope&referrer=&se_referrer=&source=www.teamtyra.se
Although the attacks in the past few days only seem to have utilised 91.226.33.54, an analysis of the netblock [pastebin] shows several bad or spammy sites in 91.226.32.0/23, so my recommendation is that you banish this range from your network.

UPDATE:
ZScaler are also tracking their infection, an analysis of what it does can be found here.

Friday 18 September 2015

Malware spam: "Transaction confirmation" / "donotreply@lloydsbank.co.uk"

This fake banking spam comes with a malicious attachment:

From     donotreply@lloydsbank.co.uk
Date     Fri, 18 Sep 2015 11:52:36 +0100
Subject     Transaction confirmation

Dear Customer,

Please see attached the confirmation of transaction conducted from Your
account. Kindly sign and forward the copy to us for approval.

Best regards,
Your personal Manager

Thora Blanda

tel: 0345 300 0000

LLOYDS BANK. 
Attached is a file Notice.zip which contains a malicious executable Value mortgage policy .exe (note the rogue space) which has a VirusTotal detection rate of 3/55. The Hybrid Analysis report shows activity consistent with Upatre/Dridex including a key indicator of traffic to 197.149.90.166 in Nigeria.

E.ON "You've got mail" spam

I haven't used E.ON for a couple of years, and I no longer have an account with them. So I was surprised to get this E.ON-themed spam. Is it malware? No, it really is E.ON spamming me..

------------
From:    E.ON Energy [eon@eonenergy.com]
Reply-To:    "E.ON Energy" [eon@eonenergy.com]
Date:    17 September 2015 at 19:02
Subject:    You've got mail

You've got mail.
If you are having trouble viewing this email, you can view it here.

E.ON

You've got mail

Dear Conrad Longmore

Thanks for letting us know you'd like us to send you information by email.

What does this mean for me?
You'll receive contact from us by email instead of through the post. We're introducing our emails gradually, so you'll still get a few things through the post until we're all up and running.
What kind of things will you send me?
We'll only send you important information that you need to know about your account, including:



  • Changes to Direct Debit payments, if you've chosen to pay this way.



  • Asking for meter readings



  • Reminding you about any appointments you have  with us.



  • Reminding you about paying for the energy you've used, if you haven't already told us when
  • you're going to pay.



  • Anything else we think you'll need to know about your service from us.
  • Don't worry, we won't send you information to sell you anything, unless you've already told us we can.
    What if I change my mind?
    Visit our website and let us know.
    If you change your mind, we'll still send you reminders by email if you've not paid us what you owe.
    As you're an online customer, we'll also still send you an email when your bill is ready to view and other emails related to your online account you automatically get when you've signed up online.
    If you've got questions about your account or anything else, click here. You won't get through to us by replying to this email.
    Yours sincerely

    E.ON Customer Services


    Helping our customers. We're on it. E.ON

    twitter
    Facebook
    Follow us on Facebook and Twitter and keep up to date.


    Disclaimer Notice
    This email has been sent by E.ON Energy Solutions Limited. While we have checked this email and any attachments for viruses, we cannot guarantee that they are virus-free. You must therefore take full responsibility for virus checking.

    This message and attachments are confidential and should only be read by those to whom they are addressed.
    If you are not the intended recipient, please contact us, delete the message from your computer and destroy any copies. Any distribution or copying without prior permission is prohibited.

    Internet communications are not always secure and therefore E.ON does not accept legal responsibility for this message. The recipient is responsible for verifying its authenticity before acting on the contents. Any views or opinions presented are solely those of the author and do not necessarily represent those of E.ON.

    Registered Address
    E.ON Energy Solutions Limited. Registered office: Westwood Way, Westwood Business Park, Coventry, CV4 8LG. Registered in England and Wales No. 3407430.

    CONSENT CSS

    Ooookay. So it's a phish or malware, right? Well, in this case floating over the links clearly shows an eonenergy.com domain, rather than something malicious. And at least E.ON have shown good practice by using their own domain rather than some random tracking domain that others do.

    It's been a long time since I logged onto E.ON because these days I generate all my electricity from a secondhand Russian nuclear reactor plucked from a rusty submarine that I have buried under the lawn.

    Logging on to my account gives this message..

    And from that point onwards there is nothing at all that I can do. I can't turn off the E.ON spam because I don't have an account with them!

    It's probably 15 years or so since I registered on E.ON.. when I registered it was part of TXU, then PowerGen which then became E.ON. So if you have registered an account with any of those companies in the past decade and a half, then you might get this spam from E.ON, even if you closed your account a long time ago..

    UPDATE:
    E.ON have posted some information about the cock-up and an apology here.

    Thursday 17 September 2015

    Malware spam: hrwfmailerprod@lancashire.gov.uk / REFURBISHMENT

    This fake financial spam (presumably) comes in several different variants (I saw two):

    From     "Workflow Mailer" [hrwfmailerprod@lancashire.gov.uk]
    To     hp_printer@victimdomain.com
    Date     Thu, 17 Sep 2015 12:16:26 GMT
    Subject     FYI: Sent: Online Discussion Message for RFQ 6767609,1 (LCDC - NF014378 R.R. Donnelley & Sons Company - REFURBISHMENT)


    From             Mabel Winter
    To             hp_printer@victimdomain.com
    Sent             Thu, 17 Sep 2015 12:12:26 GMT
    ID             7216378
    Number             6767609,1
    Title             Q3EX - 1C995408 R.R. Donnelley & Sons Company - REFURBISHMENT

    Negotiation Preview Immediately upon publishing
    Negotiation Open Immediately upon publishing
    Negotiation Close September 21, 2015 10:00 am GMT
    Company R.R. Donnelley & Sons Company
    Subject ITT Clarifications
    To view the message, please open attachment. 
    The other version I had mentioned "QMDM - 5J673827 CDW Computer Centers Inc. - REFURBISHMENT" instead. The attachment appears to have a randomly-generated name e.g. REFURBISHMENT 7216378.zip and REFURBISHMENT 4435708.zip which contain a malicious executable REFURBISHMENT 7015295.scr which has a VirusTotal detection rate of 3/55.

    The payload appears to be Upatre/Dyre as seen earlier today.

    Malware spam: "Shell E-Bill for Week 38 2015"

    This fake financial spam comes with a malicious attachment:

    From     [invoices@ebillinvoice.com]
    To     administrator@victimdomain.com
    Date     Thu, 17 Sep 2015 11:10:15 GMT
    Subject     Shell E-Bill for Week 38 2015

    Customer No         : 28834
    Email address       : administrator@victimdomain.com
    Attached file name  : 28834_wk38_2015.PDF

    Dear Customer,

    Please find attached your invoice for Week 38 2015.

    In order to open the attached PDF file you will need
    the software Adobe Acrobat Reader.

    For instructions of how to download and install this
    software onto your computer please visit
    http://www.adobe.com/products/acrobat/readstep2.html

    If you have any queries regarding your e-bill you can contact us at invoices@ebillinvoice.com.

    Yours sincerely

    Customer Services

    ======================================================
    This email, its content and any files transmitted with
    it are confidential and intended solely for the use of
    the individual(s) to whom it is addressed.
    If you are not the intended recipient, be advised that
    you have received this email in error and that any use,
    dissemination, forwarding, printing or copying of
    this email is strictly prohibited.
    ======================================================

    Attached is a file 28834_wk38_2015.zip containing a malicious executable 67482_wk38_2015.scr which has a detection rate of 2/56. Automated analysis is pending, but the payload is almost definitely Upatre/Dyre which has been consistently sending traffic to 197.149.90.166 (Cobranet, Nigeria) for some time now, so I suggest that you block or monitor that IP.

    MD5:
    0d9c66ffedce257ea346d2c7567310ac