Fake fax spam spoofs multiple senders, has malicious payload

This fake fax spam comes from random senders - company names and attachment names vary from spam to spam.

From: "Heaney, Vandervort and Hilll"
Subject: Fax #AhnxlQ8 from Donny Kub
Date: Wed, 26 Aug 2015 14:02:30 +0000

You have a fax.
Data sent: Wed, 26 Aug 2015 14:03:30 +0000
TO: info@victimdomain.com

*********************************
We are a new fax delivery service - Heaney, Vandervort and Hilll.
Our company develops rapidly and services remain fastest and open to everyone.
As our slogan goes: "Fast. Cheap. Best quality."
*********************************

Attached is a ZIP file combining various elements from the spam (for example, in this case it was fax_AhnxlQ8_Heaney, Vandervort and Hilll_Donny Kub.zip). This contains a malicious executable (e.g. Invoice Lake Janeview.exe) which currently has a 2/56 detection rate at VirusTotal.

The Hybrid Analysis report shows it phoning home to:

197.149.90.166/260822U/Yd1D3h1R87/0/61-SP1/0/FDMBEFJBMKBEMM
197.149.90.166/260822U/Yd1D3h1R87/41/5/42/FDMBEFJBMKBEMM

This pattern marks the malware out as being Upatre/Dyre.  197.149.90.166 is an IP address belonging to Cobranet in Nigeria which was also used in a similar attack yesterday.

Fake job offer: Edwards Electrical and Mechanical / Edward Electricals Y Mecánicos (edwards-elec.com)

Edwards Electrical and Mechanical is a wholly legitimate contraction based in Indianapolis in the US. This spam message is not from them, but someone abusing their name.

From:     Charles Benneth [tonyudeani@n-tocomisltd.com]
Reply-To:     charles_trading@outlook.com
To:   
Date:     30 June 2014 01:49
Subject:     Part-Time Job Offer


Estimado Señor / Señora

Tenemos una vacante para el puesto de oficial de cuentas por cobrar. ¿Te
gustaría trabajar desde su casa y obtener semanal remunerado? Estamos
ofreciendo esta posición a todos los solicitantes interesados. Por favor,
lea atentamente. Esta oportunidad de empleo está dirigido a proporcionar
parte / los solicitantes de empleo a tiempo completo, y también a las
personas que quieran trabajar desde casa, y se les paga semanalmente por
la recepción de pagos de nuestros clientes de deducir la comisión y
remitir el equilibrio. Envíe sus informaciones para obtener más detalles.

Nombre Completo
Contacto Inicio Dirección Plus Código Postal (No P O Box)
número de teléfono
edad
Fax Si Cualquiera
Un reconocimiento rápido de la recepción de este correo electrónico será
apreciada.

Gracias por su comprensión total.

Charles Benneth
Presidente / CEO
Edward Electricals Y Mecánicos.
http://www.edwards-elec.com/index.php

This translates roughly as:

Dear Sir / Madam

We have a vacancy for the position of Accounts receivable officer. Do you
would like to work from home and get paid weekly? We are
offering this position to all interested applicants. Please
read carefully. This employment opportunity is targeted at providing
part / applicants for full-time employment, and also to
people who want to work from home and get paid weekly by
receiving payments from our clients, and deducting fees
remit the balance. Send information for details.

Full Name
Contact Home Address Plus Zip (No PO Box)
phone number
age
Fax If Any
A quick recognition of the receipt of this email will
appreciated.

Thank you for your full understanding.

Charles Benneth
President / CEO
Edward Electricals and Mechanical.
http://www.edwards-elec.com/index.php 

The job is actually money laundering, which is a criminal activity. The email solicits replies to the free email address of charles_trading@outlook.com and originates from from 41.58.2.22 (Swift Networks, Lagos, Nigeria) via 188.40.62.68 (node3.trudigits.com / Hetzner, Germany).

Unless you want to spend some time in jail, I would recommend giving this particular Nigerian scam a wide berth.

"CCAHC: Climate Change And Health Conference 2014" scam

This spam is a form of advanced fee fraud scam:

From:     CCAHC ccahc@live.com
Reply-To:     ccahc@e-mile.co.uk
Date:     10 April 2014 16:04
Subject:     Call for Poster

CCAHC: Climate Change And Health Conference 2014

---

Dear Colleague,
On behalf of the CCAHC Scientific Committee, you are cordially invited to attend the 14th Climate Change & Health Conference to be held in Ibis Garden Hotel, from 16th - 18th May, 2014. 
The CCAHC 2014 event promises unrivalled learning and networking opportunities for the general public. Invited speakers are experts from multiple sectors and disciplines. Case studies of successful collaborations of environment, nutrition and public health across a wide range of issues.
The main theme for this year's poster session is:  "Impacts of Climate Change in Health and Nutrition"
While this is the main theme for the poster session it is not exclusive and you are welcome to submit a poster outside of this theme.
CCAHC 2014 showcases yet another exceptional programme with the latest scientific and best practice consensus on sustainable environment, biometeorological adaptation, global warming, climate change, waste management, greenhouse gas, pollution control, heart health, obesity, weight management, diabetes, child health, gut health, food sensitivity, healthy living and many other hot topics.
Why Attend:

• Receive current updates on a range of topics, from leaders and expert practitioners.
• Understand the latest scientific research in detail and discover its implications for your work.
• Explore and debate controversial topics, discuss what is best for your clients and patients.
• Sponsorship of air ticket, travel insurance, visa fees and per diem.
• Enhance your skill set and progress your career.
• Network with hundreds of other professionals involved in diet, nutrition, environment, health and lifestyle.
• Participate in the Exhibitor Trail and win prizes!
• Present your research, project, product or campaign, attract attention and promote your achievements
• Registration is free of charge for participants from developing countries.

Paper Submissions:
Fax or e-mail up to 300 words describing your proposed paper on or before 18th April 2014. The paper will then be sent to the Advisory Board for evaluation and authors will be given feedback on or before 25th April 2014. The highest rated papers will be invited to present at the conference.
Sincerely yours,
Professor Jon Lloyd
Conference Chair
Maple House, 37-45 City Road, London EC1Y 1AT, United Kingdom.
Tel: +44 (0)70 8764 2424 | +44 (0)70 2404 4920
Fax: +44 (0)843 562 2173

The email originates from 196.46.246.174 (Airtel, Nigeria) via 221.120.96.3 in Bangladesh. Note that the sender is using free email addresses rather than one that ties back to an identifiable organisation. The email was sent to a spamtrap.

According to this article at 419scam.org the sting is that there will be visa and hotel fees to pay before going to the conference, and once this money has been sent by Western Union then the scammers will vanish, taking their mythical conference with them.

Avoid.

Odd "Wire transfer to your account" spam

Almost all spam tends to be some sort of scam or some sort of malware. I can't quite figure this one out though.

From:     Andrew Chukwu [andrewchukw@gmail.com]
Date:     27 December 2013 13:24
Subject:     Wire transfer to your account

Please review and follow the instruction to get your payment slip,
please get back to us as soon as you get it

Best of Luck

I know better than to open unsolicited .DOC files, so I put it through VirusTotal.. and it came out clean. Joe Sandbox, Malwr, and Malware Tracker all report it as clean too. In fact, the only thing it seems to contain is the following string:

file:///C:/DOCUME~1/AGV/LOCALS~1/Temp/New%20Invoice.htm

The metadata says:

Os: Windows
Version 5.1
Code page: 1252
Author: AGV
Template: Normal
Last Saved By: AGV
Revision Number: 1
Name of Creating Application: Microsoft Office Word
Total Editing Time: 01:00
Create Time/Date: Thu Dec 26 10:15:00 2013
Last Saved Time/Date: Thu Dec 26 10:16:00 2013
Number of Pages: 1
Number of Words: 8
Number of Characters: 48
Security: 0

The email originates from a Gmail IP address, and given the Nigerian sounding name it could simply be a scam email gone wrong, but I would strongly advise you not to open it in any case, just it case it is something far more malicious.

Mystery Shopper Scam from "Shoppers Guide Ltd"

Mystery shopper scams aren't exactly rare, but they're not as obvious a scam as some others. The basic idea is that once you get roped in, then eventually the sting will come with you laundering stolen money or an advanced fee fraud. There are some details about typical mystery shopper scams here.

The spam originates from 82.128.2.21 in Nigeria.

From: ADAM SCOTT mystery.shopperonline33415@yahoo.com
Reply-To: mystery.shopperonline33415@yahoo.com
Date: 17 July 2010 15:39
Subject: JOB OFFER

Hello,

         We are a company that conduct surveys and evaluate other companies. We get hired to go to other peoples companies and act like customers in order to know how the staffs are handling their services in relation to their  customers. once we have a contract to do so, you would be directed to the company or outlet, and you would be given the funds you need to do the job(either purchase things or require services), after which you would write a  comment on the staffs activities and give a detailed record of your experience

Examples of details you would forward to us are :

1) How long it took you to get services.
2) Smartness of the attendant
3) Customer service professionalism
4) Sometimes you might be required to upset the attendant, to see how they react to clients when they get tensed.

 And we turn the information over to the company executives and they would  carry out their own duties in improving there services.

   Most companies employ our assistance when people give complains about their services, or when they feel there are needs for them to improve their customer service. your Identity would be kept confidential as the job states (secret shopper) you would be paid $300 for every duty you carry out, and bonus on your transportation allowance, and funds would be given to you if you have to dine as part of the duty.

  Your job will be to evaluate and comment on customer service in a wide variety of shops, stores, restaurant and services in your area. No commitment is made on this job, and you would have flexible hours as it suits you. We will be sending you check for any of your assignments which you will cash at your financial institution and you use the money to carryout the assignment. You do not have to use any money from your pockets. So we will provide you the money for all your assignments.If you are interested

The following information below will be needed :
Full Name:
Address (no Po Box):
City:
State:
Zip code:
Phone Number(s):
Email Address:
Age:
Occupation:

 So we can look at your distance from the locations which you have to put your service into, and your address would also be need for your payments.

Thanks.

Adam Smith
shoppers Guide Ltd
mystery.shopperonline33415@yahoo.com

I received this mail "from" a contact's web mail account.. well, I say "from", it was actually a dial-up account in Nigeria (41.155.100.234 in this case).

Subject:  HELP!!!

Hello,

      I'm sending this short email with panic in my heart, the situation of things here right now seems so tensed and frighting because I'm  stranded here, apparently l was stuck here in LONDON ENGLAND with family because we were held by muggers on KENTISH TOWN ROAD  yesterday after shopping at the city mall, our wallets were taken from us which has our credit cards and bank cards in it, but we already canceled  them now, our passports were taken as well but the embassy are working on it trying to fix a way to get us an ID that will be valid for us to get  on flight back home but seems like it will take couple of days or three but right now i need a quick loan from you which is very urgent,  so we can use for our upkeep for the next 3days, l promise to pay you back, as soon as i'm back home, l give you my word on that, please email  me as soon as you get this to confirm and let me know if you can be of help.

God bless you. 

What has happened here is that the victim recently received a message from their webmail provider that said that their account might be shut down because of a lack of capacity.. and please could you confirm that it was still in use by sending back the login details. THAT gave the scammers the username and password, and then they raided the contacts to send this plea.

So.. if you receive a mail message like this, then it's a scam.. but don't ignore it, the best thing to do is tell your contact that their mail account has been compromised and that they need to change their password (if they can) and also review any banking or financially sensitive emails that they store, because it is possible that the scammers could have compromised those as well.

"OFFICIAL WARNING FROM FBI" scam

An old scam, pretty much the flipside of the usual Advanced Fee Fraud. This one preys upon innocent victims by accusing them of money laundering, but the details don't pan out. Quite apart from the ridiculous proposition and free email addresses used, phrases like "shady", "waded in", "graft" and exclamation marks are something you would never expect to see in an official communication from law enforcement. Besides, I really don't think that the FBI email you if they suspect you are up to terrorist activities..

From: Anti Graft.
Reply-to: antiterrorist.crimesdiv.2010@megafastmail.com
date    16 June 2010 09:37
subject    OFFICIAL WARNING FROM FBI.

ANTI-TERRORIST AND MONETARY CRIMES DIVISION
FBI HEADQUARTERS IN WASHINGTON, D.C.
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
Website: www.fbi.gov
Phone: 202-595-1344

DATE:15/06/2010

It has been discovered that your contract/inheritance/winning FUND was about being transferred to an unknown account under your name. This attempt was perpetrated by someone who claims to be working for you, and that you have given him due authority to have the FUND moved to the account specified below:

SOUTHWESTERN FEDERAL CREDIT UNION
WESCORP 924 OVERLAND COURT
SAN DIMAS, CA 91772. USA.
ACCOUNT NUMBER: 322079133
ABA/ROUTING NUMBER: 1220-41-21-9
SHARETYPE NO.: 25
FINAL CREDIT  HABIB FENZI AND CO. (Beneficiary).

The Federal Bureau of Investigation (F.B.I.) waded in after being alerted by the supposed bank. We investigated and found that there is a possible money laundering activity in play.The FUND US$10,500,000.00(Ten Million Five Hundred Thousand United States Dollars) was found to be deposited in Bank of America in your name pending your consent to have it transferred to the new account indicated above. It was further revealed that initial FUND transfer originated from Nigeria to England and now here in Bank of America in USA.

These transfers did not follow due process in line with the international FUND transfer rules and regulation.Consequently,we suspect this be a terrorism funding, drug related fund deposit and/or money laundering. As stated above, the FUND has your name on it; and you must have it cleared of any connection with any of these illegal activities.Be informed that FAILURE to have this cleared out will attract a JAIL TERM.We will not hesitate to visit the full weight of the law upon you if you do not clear this fund.There is every indication that you are involved in this shady deal.

Finally, you are expected to have the CLEARANCE DOCUMENT obtain from where the FUND originated from to have you and your fund cleared. Only then shall we release your FUND as clean money devoid of any illegality, and you will be free of any involvement. To this end, you are to contact Mr. Peter Anderson of the Anti Graft Department of Economic and Financial Crimes Commission (E.F.C.C.) Nigeria and have the DIPLOMATIC IMMUNITY SEAL of TRANSFER (DIST) CLEARANCE DOCUMENT obtained. Contact him through this direct email address:efccantigraft.nigeria@megafastmail.com,Direct Line:+234 8028493286 Note that you have 72hrs to obtain this crucial Documentation.

This has to be cleared!

You are warned!

Faithfully Yours
Robert S. Mueller III
FBI Director
Federal Bureau Of Investigation.
FBI-Washington Field Office
601 4th Street, NW
Washington, DC 20535
www.fbi.gov