Sponsored by..

Wednesday, 11 December 2013

"Wells Fargo" spam / WF_Docs_121113.exe

This fake Wells Fargo spam has a malicious attachment:

Date:      Wed, 11 Dec 2013 17:03:26 +0100 [11:03:26 EST]
From:      Kerry Pettit [Kerry.Pettit@wellsfargo.com]
Subject:      FW: Important docs

We have received this documents from your bank, please review attached documents.

Kerry Pettit
Wells Fargo Accounting
817-295-1849 office
817-884-0882 cell Kerry.Pettit@wellsfargo.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member
FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached
documentation. Thank you.
Attached to the email is a ZIP file starting with WF_Docs_ and ending with the first part of the recipient's email address, inside that is a ZIP file with the date encoded into the filename WF_Docs_121113.exe. VirusTotal detections for the ZIP are 6/49 and are 6/47 for the EXE.

Automated analysis [1] [2] [3] shows an attempted connection to hortonnovak.com on 194.28.87.121 (Hostpro, Ukraine). There is only one site that I can see on this IP, so I would recommend blocking one or the other or both of them.

No comments: