Sponsored by..

Friday 25 July 2014

Tiffany & Co "invoice 0625859 July" spam

This fake Tiffany & Co email has a malicious attachment:

Date:      Fri, 25 Jul 2014 17:32:38 +0800 [05:32:38 EDT]
From:      "J.Parker" [rcaukomti@tiffany.co.uk]
Subject:      invoice 0625859 July

Kindly open to see export License and payment invoice attached, meanwhile we sent the balance payment yesterday.
Please confirm if it has settled in your account or you can call if there is any problem.
Thanks


J.parker
Tiffany & Co.
Attached to the message is an archive invoice copy.zip which contains a folder invoice copy in which there is a malicious file invoice copy.exe which has a VirusTotal detection rate of 9/51. The CAMAS report shows that the malware downloads components from the following locations:

brandsalted.com/333
daisyblue.ru/333
expositoresrollup.es/333
fbcashmethod.ru/333
madrasahhusainiyahkl.com/333
sexyfoxy.ts6.ru/333
siliconharbourng.com/333
www.huework.com/333
www.martijnvanhout.nl/333
www.ricebox.biz/333
www.zag.com.ua/333

Those sites are similar to the one found in the recent "Birmingham Mail" spam run. I recommend that you block the following domains on your network:

brandsalted.com
daisyblue.ru
expositoresrollup.es
fbcashmethod.ru
madrasahhusainiyahkl.com
sexyfoxy.ts6.ru
siliconharbourng.com
huework.com
martijnvanhout.nl
ricebox.biz
zag.com.ua







No comments: