Sponsored by..

Friday 1 August 2014

NatWest "You have a new Secure Message" spam uses goo.gl links to spread malware

This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:
From:     NatWest [secure.message@natwest.com]
Date:     24 July 2014 10:39
Subject:     You have a new Secure Message

You have received a secure message from NatWest Bank

To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope
The link in the email goes to goo.gl/dGDi7l and the downloads a ZIP file from berkleyequine.com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of  just 1/54. The CAMAS report shows that the malware calls out to the following URLs;

94.23.247.202/0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108uk1/SANDBOXA/1/0/0/
94.23.247.202/0108hk1/SANDBOXA/1/0/0/
94.23.247.202/0108ok1/SANDBOXA/1/0/0/
acanthe.be/css/01u1.rar
dirbeen.com/misc/01u1.rar
porfintengoweb.com/css/heap_61_id3.rar
sso-unidadfinanzas.com/images/heap_61_id3.rar
theothersmag.com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar

The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.

Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.

Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it (I would recommend giving it a go).

Recommended blocklist:
94.23.247.202
acanthe.be
dirbeen.com
porfintengoweb.com
sso-unidadfinanzas.com
theothersmag.com
firstfiresystems.com
berkleyequine.com

1 comment:

Unknown said...

haha, for best results SAVE it first and THEN open it in your web-browser? Lol since when did anything have better results for viewing by using that 'technique'?? Man, they are really pushing hard to get people to do the 'wrong thing' and get scammed...it's a shame that so many people are so clueless and/or stupid that they fall for some of these cheesier messages and click on the links. I have only ever seen one malicious spam trick that MIGHT have been good enough to trick me, except for the fact that I did NOT have a bank account at that bank or any other bank, at the time. So when they said 'your account' blah blah blah, click the link & log on to 'do whatever'. Easy I knew it was fake because I had no acct there, but if I did have one I might not have paid as much attention to little details like: no name listed 'dear customer' - when there is a problem with YOUR account they put your name in the message. Anyway, out of curiosity I clicked the link and it took me to a page that looked very much like a legitimate logon page to a bank. So I'm guessing as soon as you enter your a/c# password they suck it up and suck the money out of your account.

Dude your blog is AWESOME. I love reading about these spammy messages and I love the way you write - also, when it comes to info you are short & sweet about it and easy to get any & all necessary details quickly, and I like that too.

Here's too ya!! Skål (cheers)

Bunny -