Date: Thu, 6 Feb 2014 20:32:34 +0100 [14:32:34 EST]I love the "certified virus-free" bit, because of course this thing comes with a malicious payload. Attached to the message is an archive Reference.zip which in turn contains a malicious executable Reference.scr (a plain old executable, not a screensaver). This has a VirusTotal detection rate of 2/50.
From: "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject: Successful Receipt of Online Submission for Reference 3608005
Thank you for sending your VAT Return online. The submission for reference 3608005 was
successfully received on Thu, 6 Feb 2014 20:32:34 +0100 and is being processed. Make VAT
Returns is just one of the many online services we offer that can save you time and
paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet
virus scanning service supplied by Cable&Wireless Worldwide in partnership with
MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was
certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for
legal purposes.
Automated analysis tools [1] [2] [3] [4] show an encrypted file being downloaded from:
[donotclick]wahidexpress.com/scripts/ie.enc[donotclick]bsitacademy.com/img/events/ie.enc
Recommended blocklist:
182.18.188.191
wahidexpress.com
bsitacademy.com
Update:
A second version of the email is circulating with the following body text:
The submission for reference 485/GB1392709 was successfully received and was not
processed.
Check attached copy for more information.
This is an automatically generated email. Please do not reply as the email address is not
monitored for received mail.
No comments:
Post a Comment