Sponsored by..

Friday 24 May 2013

Chase "Incoming Wire Transfer" spam / incoming_wire_05242013.zip

This fake Chase "Incoming Wire Transfer" email has a malicious attachment.

Date:      Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From:      Chase [Chase@emailinfo.chase.com]
Subject:      Incoming Wire Transfer


Note: This is a service message with information related to your Chase account(s). It may include specific details about transactions, products or online services. If you recently cancelled your account, please disregard this message.
CHASE    
          We're writing to let you know the "Incoming Wire Transfer Report" is available.
If you are not aware of this transaction or have concerns about the request, please contact your company administrator.

The detailed Information about this transaction is available in the attached file.

Account: BUSINESS CHECKING/SAVINGS ACCOUNT
Date of deposit: 05/24/2013
Transaction number: 1
Type: International Wire Transfer
Amount: $161,381.56

If you aren't enrolled in "Incoming Transfer Report's" and think you've received this message in error, please call our Customer Support team immediately, using the phone number on the "Contact Us" page on Chase Online.

Note: This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
       

   
    E-mail Security Information    
   
   

If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here.

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing www.chase.com directly into your browser.

   

If you want to contact Chase, please do not reply to this message, but instead go to www.chase.com. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
2013 JPMorgan Chase & Co.
LCAA0213S

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal. The ThreatTrack report [pdf] and ThreatExpert report show various characteristics of this malware, in particular a callback to the following IPs and domains:

116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1.com

Checksums are as follows:
MD5f9182e5f13271cefc2695baa11926fab
SHA1b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA2560a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d

No comments: