Sponsored by..

Thursday 9 May 2013

Citibank spam / Statement ID 64775-4985.doc

This fake Citibank spam contains a malicious Word document that leads to malware.

Date:      Thu, 9 May 2013 01:22:21 +0200 [05/08/13 19:22:21 EDT]
From:      CITIBANK [noreply@citybank.com]
Subject:      Merchant Statement

Enclosed DOC is your Citibank Paymentech electronic Merchant Billing Statement. If you need help, please contact your Account Executive or call Merchant Services at the telephone number listed on your statement. PLEASE DO NOT RESPOND BY USING REPLY. This email is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech. Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly. ---------- Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank. ---------- THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 
The attached document Statement ID 64775-4985.doc contains an exploit (analysis pending) with a VirusTotal detection rate of just 10/46. It appears to exploit a flaw in the RTF converter. I'm not all together sure which flaw it is, but making sure that your copy of Microsoft Office is up-to-date and fully patched will help to mitigate against this sort of threat.

Update: another version is using the filename Statement ID 4657-345-347-0332.doc. It looks like it is exploiting CVE-2012-0158 aka MS12-027.

1 comment:

Ian Darke said...

Symantec is passing the file as clean (including passing analysis at ThreatExpert.com).

RTFscan found a 1544 byte OLE document inside the RTF. OfficeMalScanner v.58 did not detect anything.