Sponsored by..

Monday, 4 August 2014

"Important - BT Digital File" spam

This fake BT spam has a malicious attachment:

Date:      Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]
From:      Marci Tobin
Subject:      Important - BT Digital File


BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000
The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:

94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip

Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de


UPDATE: the following spam also has the same payload..

Date:      Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 7132163 - Companies House

The submission number is: 7132163

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

No comments: