Sponsored by..

Tuesday 24 September 2013

"International Wire Transfer" spam / INTL_Wire_Report-09242013.zip

This fake wire transfer spam has a malicious attachment:

Date:      Tue, 24 Sep 2013 10:54:32 -0700 [13:54:32 EDT]
From:      Wells Fargo Event Messaging Admin [ofsrep.ceoemigw@wellsfargo.com]
Subject:      International Wire Transfer File Not Processed

We are unable to process your International Wire Transfer request due to insufficient funds in the identified account.

Review the information below and contact your Relationship Manager if you have questions, or make immediate arrangements to fund the account. If funds are not received by 09/24/2013 03:00 pm PT, the file may not be processed.

Please view the attached file for more details on this transaction.

Any email address changes specific to the Wire Transfer Service should be directed to Treasury Management Client Services at 1-800-AT-WELLS (1-800-289-3557).

Event Message ID: S203-8767457

Date/Time Stamp: Tue, 24 Sep 2013 10:54:32 -0700  

----------------------------------------------------------------------------------------------------------------------------------------------------
Please do not reply to this email; this mailbox is only for delivery of Event Messaging notices. To ensure you receive these notices, add ofsrep.ceoemigw@wellsfargo.com to your address book.

For issues related to the receipt of this message, call toll free 1-800-AT-WELLS (1-800-289-3557) Monday through Friday between 4:00 am and 7:00 pm and Saturday between 6:00 am and 4:00 pm Pacific Time.

Customers outside the U.S. and Canada may contact their local representative's office, or place a collect call to Treasury Management Client Services at 1-704-547-0145.

Please have the Event Message ID available when you call.

Attached is a ZIP file called INTL_Wire_Report-09242013.zip which in turn contains a malicious executable INTL_Wire_Report-09242013.exe (note the date in encoded into the filename). The VirusTotal results show a so-so detection rate of 9/48.



Automated analysis [1] [2] [3] shows the usual sort of stuff plus network traffic to ta3online.org  on 108.168.164.202 (Softlayer, US) which is some sort of compromised legitimate site.



Blocking EXE-in-ZIP files at you network perimeter is absolutely the best way of avoid malware attacks like this.

No comments: