Sponsored by..

Wednesday 25 September 2013

Intuit spam / Invoice_3056472.zip

It's an email from a company I have no dealings with, with a ZIP file that contains an EXE file! What could possible go wrong? Oh..

Date:      Wed, 25 Sep 2013 09:37:48 -0600 [11:37:48 EDT]
From:      Lewis Muller [Lewis.Muller@intuit.com]
Subject:      FW: Invoice 3056472

Your invoice is attached.

Sincerely,
Lewis Muller

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected
from disclosure. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in error, please notify
your representative immediately and delete this message from your computer. 
The attachment is Invoice_3056472.zip which in turn contains a malicious file Invoice_092513.exe which has a pretty low VirusTotal detection rate of just 4/48.

Automated analysis [1] [2] [3] [4] shows the usual sort of badness, including a call home to gidleybuilders.com on 78.157.201.219  (UK Dedicated Servers Ltd, UK) which we also saw being used in an attack last week. Two compromised domains in a week seems a bit more than a coincidence. For information only, the following legitimate domains are also on that same server:

allcool.co.uk
ashmanufacturing.co.uk
ashmanufacturing.com
ashmanufacturing.net
ashmanufacturing.org
awcoomer.com
beingwell.me
bhmlondon.com
bigtinbox.com
buckmastergames.co.uk
buffey.co.uk
colemansfarm.co.uk
connect4commercial.com
connect4recruitment.com
flestates.co.uk
geocom.co.uk
gidleybuilders.com
graysaccountant.com
intoirelandtravel.com
matthewtomich.com
onlinestoregroup.com
paddlers.co.uk
pedalads.co.uk
pedalads.net
photoaweek.com
pickout.co.uk
richardgidley.com
smudgeinc.co.uk
sofmagazine.com
swim24.com
wakeham.co.uk
wakehamgroup.com
wakehamphotographic.com
westside-village.com



No comments: