Sponsored by..

Monday, 3 June 2013

"Fiserv Secure Email Notification" spam with an encrypted, malicious ZIP attachment

This spam email contains an encrypted ZIP file with password-protected malware.

Date:      Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From:      Fiserv Secure Notification [secure.notification@fiserv.com]
Subject:      Fiserv Secure Email Notification - IZCO4O4VUHV83W1

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password -  Iu1JsoKaQ

To read the encrypted message, complete the following steps:

 -  Double-click the encrypted message file attachment to download the file to your computer.
 -  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 -  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.840.0668.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).

At the moment the VirusTotal detection rate is a so-so 16/47. The ThreatTrack analysis identifies some locations that the malware phones home to:
netnet-viaggi.it
paulcblake.com
74.54.147.146
116.122.158.195
190.147.81.28
194.184.71.7
207.204.5.170

For the records, those IPs belong to:
74.54.147.146 (ThePlanet, US)
116.122.158.195 (Hanaro Telecom, Korea)
190.147.81.28 (Telmex, Colombia)
194.184.71.7 (Ouverture Service, Italy)
207.204.5.170 (Register.com, US)


Posted by at
Labels: , , ,

1 comment:

unixfreaxjp said...

Nice findings! I found same spam today. And can't help to tear them apart in here

#MalwareMustDie!

4 June 2013 at 13:14

Post a Comment

Subscribe to: Post Comments (Atom)