Date: Tue, 23 Jul 2013 10:21:08 -0500 [11:21:08 EDT]There is an attachment A136_Incoming_Money_Transfer_Form.zip containing an executable file A136_Incoming_Money_Transfer_Form.exe. The VirusTotal detection rate is a miserable 6/47.
From: WebCashmgmt [Alberto_Dotson@webcashmgmt.com]
Subject: Important Notice - Incoming Money Transfer
An Incoming Money Transfer has been received by your financial institution for spamcop.net. In order for the funds to be remitted on the correct account please complete the "A136 Incoming Money Transfer Form".
Fax a copy of the completed "A136 Incoming Money Transfer Form" to +1 800 722 5331.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Alfredo_Ochoa
Senior Officer
Cash Management Verification
Phone : 733-495-7476
Email: Alfredo_Ochoa@webcashmgmt.com
CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (Fiserv, Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender, by email or telephone (800 722 6328), of any unintended recipients and delete the original message without making any copies.
This is a two stage pony/gate infection according to the Malwr report. Functionally it looks very similar to the payload used in this spam run.
I just received this kind of mail from Kirby_Pace@webcashmgmt.com
ReplyDeletewith out attachment.
100% fake and 100% SCAM.
Event there website does not open.
We just received one from
ReplyDeleteHollis_Oneal@webcashmgmt.com
webcashmgmt.com is a legitimate domain belonging to to ACI Worldwide. I'm not 100% certain that the domain works on www. as it has many subdomains that seem to serve different banks.
ReplyDeleteI lol'ed at the signature line. Who signs documents with a "_"?...
ReplyDeleteNed_Jefferson
Senior Officer
Cash Management Verification
Phone : 657-993-7497
Email: Ned_Jefferson@webcashmgmt.com
Just got one from:
ReplyDeleteMaxwell_Joyce
Senior Officer
Cash Management Verification
Phone : 446-766-8956
Email: Maxwell_Joyce@webcashmgmt.com
but our mail server quarantined the attachment and marked the mail as suspected junk.
Area code 446 doesn't exist.
Our HR Director received one w/o attachment from:
ReplyDeleteAldo_Blake
Senior Officer
Cash Management Verification
Phone : 788-857-6744
Email: Aldo_Blake@webcashmgmt.com
She called the number listed in the confidentiality notice (800 722 1123) and the operator tried to obtain her personal information to send her a $50 Walmart gift card and several other "free gifts" for a $9.97 processing fee.
Just got email from Augustus_Shannon@webcashmgmt.com with subject IMPORTANT Docs - WellsFargo. Seems fake, deleting it.
ReplyDeleteI just got one from
ReplyDeleteBradly_Bray
Wells Fargo Advisors
817-145-1538 office
817-149-6404 cell
Bradly_Bray@wellsfargo.com
In reality (Bradley_Bay@webcashmgmt.com)
Labeled IMPORTANT Docs - WellsFargo
Definitely spambot
Just got this one today:
ReplyDelete__________________________
Please review attached documents.
Rusty_Allison
Wells Fargo Advisors
817-908-6007 office
817-750-4755 cell
Rusty_Allison@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.
_____________________
There was also an attachment:
WF_Docs_[my name].zip (99 Kb)
Of course I didn't open the ZIP file, so I'll never know what it contained.
I just received one from ANNA _BUTTS@webcashmgt.com. with a ZIP file.
ReplyDelete