Date: Fri, 21 Jun 2013 10:48:12 -0700 [13:48:12 EDT]
From: LexisNexis [einvoice.notification@lexisnexis.com]Book
Subject: Invoice Notification for June 2013
There was an invoice issued to your company: [redacted]
Please double click the PDF attachment to open or print your invoice. To view full invoice details or for any Online Account Management options, download PDF attachment.
Account Number 455SAZ
Invoice Number 904510653899
Invoice Date June 21, 2013
Invoice Amount $3.508.00
Account Balance $0.00
You can PAY YOUR BALANCE through the PowerInvoice please print the attached invoice and mail to the address indicated on the invoice statement. If you do not have Adobe Acrobat, please find a link to a free downloadable file at the end of this e-mail.
You can also print this e-mail and send your payment to:
LexisNexis
PO BOX 7247-7090
Philadelphia, PA 19170-7090
If you have questions about your invoice, please contact LexisNexis at 1-800-262-2391, option 3.
If you would like to contact your Account Manager, please contact LexisNexis at 1-800-262-2391, option 2.
Please add this domain @email.lexisnexismail.com to your safe senders list.
Adobe Acrobat free downloadable file available at :
http://www.adobe.com/products/acrobat/readstep2.html
In this case the attachment is just 8 bytes and is harmless. Next time, it probably won't be..
Of note, the only link in the email goes to [donotclick]https://server.nepplelaw.com/owa/redir.aspx?C=430ed6e3b59a4a69b2d5653797c3e3d6&URL=http%3a%2f%2fwww.adobe.com%2fproducts%2facrobat%2freadstep2.html which is the sort of thing that happens to a URL when it goes through Outlook Web Access, in this case it would be on the server server.nepplelaw.com but I have no explanation as to why it is there, however it is harmless.
5 comments:
Hi, conrad--the Malcovery Security T3 report today examines this malware. 20% of the samples we got were 102kb. Here are the VT stats:
LexisNexis_Invoice_06212013.zip (103,445 bytes)
MD5: 12ec37f0bf80881eb168b42b1388e2cb
VirusTotal: 12 / 47 (McAfee - BackDoor-FJW)
https://www.virustotal.com/en/file/8733cea3145c5cfac6ab9d42b867b0a598a42e87add553d01f77efa39d1588bc/analysis/
I haven't received a T3 report since 17 June?
- ferg
On Friday, June 21, 2013, a large number of LexisNexis® customers and other organizations received fraudulent e-mails claiming to be from LexisNexis and containing what appear to be invoices. These e-mails and the invoices are not legitimate and originate from outside our systems. LexisNexis systems remain secure and unaffected. For more information on the incident go to http://www.lexisnexis.com/media/press-release.aspx?id=1371846110655006
You may want to update your post. It is not harmless. A zbot trojan is loaded onto your computer. It is easily cleaned with Malware Bytes Anti-Malware.
http://techhelplist.com/index.php/spam-list/253-invoice-notification-for-june-2013-fake-lexisnexis-with-virus
@Richard - I think you're seeing ones with the payload intact, these ones are truncated. There's another run coming in today with a BBB theme. I'll review the post a little to make it clear that this type of spam USUALLY leads to malware..
Post a Comment