Monday, 8 September 2014

BH Live Tickets "Peter Pan" spam (bhlive.co.uk / bhlivetickets.co.uk)

I have seen a very large quantity of these spam emails, purporting to be from

From:     bhlivetickets@bhlive.co.uk
Date:     8 September 2014 08:43
Subject:     Confirmation of Order Number 484914
ORDER CONFIRMATION
Order Number Order Date
484914 07-09-2014 13:00

YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event.
The attachment requires that you have the Adobe Acrobat Reader installed on your computer. If you do not have Adobe Acrobat Reader installed, please click HERE to download and install this program.
TICKETS QTY TICKET TYPE PRICE EACH TOTAL
Peter Pan
Bournemouth Pavilion Theatre
Tue 23 Dec 2014 - 7:00 PM
3 Early Bird - Price A 18.00 54.00
6 Early Bird Child Under 16 - Price A 15.00 90.00
Ticket Information
Circle/A 35-30 (6) , Circle/B 33-31 (3)


DELIVERY METHOD AMOUNT
Print At Home - E-Ticket(s) are attached to this order confirmation (You must be able to open and print a PDF file) 1.00


PAYMENTS TYPE # DATE AMOUNT
Mastercard Sale ************7006 03-09-2014 13:00 145.00
Please keep this confirmation in a safe place.
THIS IS NOT YOUR TICKET
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL
Please call 0844 576 3000 if there are any errors in your order, if you have not received your tickets as expected, or if you have any questions.

BH
BH Live Tickets
Exeter Road, Bournemouth, BH2 5BH
Tel: 0844 576 3000
bhlivetickets@bhlive.co.uk
http://www.bhlivetickets.co.uk
VAT Reg: 108 2248 37
TICKETS: 144.00
CHARGES: 1.00
TOTAL: 145.00
PAYMENTS RECEIVED: 145.00


These emails are not from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe).

The VirusTotal detection rate for this malware is just 3/55. Comodo CAMAS reports that this downloads an additional component from tiptrans.com.tr/333 which has a VirusTotal detection rate of 4/51.

According to ThreatExpert, This second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).

Recommended blocklist: (updates in italics)
tiptrans.com.tr
plancomunicacion.net
92.222.46.165
80.94.160.129

Added: there is at least one other version of the malicious binary, for example this one.  I have seen some reports that there are more.

UPDATE 2014-09-09:
A second spam run is in progress, essentially the same as the first one except some now have a subject in the form "Confirmation of E-Tickets Order Number 0088658".

There are two new binaries, well detected by anti-virus products with a VirusTotal score of 27/55 and 25/54.

In one case the binary downloaded an additional component from plancomunicacion.net/333  which has a detection rate of 25/54 and according to the ThreatExpert report has the same characteristics as before.

Also, the people operating BH Live have put a notice on their website.:

Concerns raised over emails purporting to be from BH Live Tickets
Published on 8 September 2014

Bournemouth, UK, 8 September – At approximately 7.30 this morning BH Live started to receive a high-volume of calls from members of the public in connection with an email purporting to come from BH Live Tickets. The email contains attachment(s) and hyperlinks relating to a booking for Peter Pan.

BH Live's Information Security teams together with information technology professionals and suppliers have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known SPAM IP addresses. The emails are not genuine and do not originate from BH Live. A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.

The public is advised to delete these emails, to not open any attachments or links; ensure they are running the most up-to-date security products and that the operating system has been updated to the latest version. It is recommended that anyone receiving these emails update their passwords over the coming days.

BH Live continues to monitor the situation and is posting updates via websites and social media channels.

36 comments:

  1. Thanks for the info. Just received this spam myself. Unnerving as it looks very authentic.

    ReplyDelete
  2. Yeah, I just received one too. Very convincing. Thank you for posting this.

    ReplyDelete
  3. Snap ...also worrying that i do have a credit card ending 700

    From: bhlivetickets@bhlive.co.uk
    To:
    Sent: Monday, September 08, 2014 9:25 AM
    Subject: Confirmation of Order Number 016738

    ReplyDelete
  4. Very convincing, and it certainly look like it was sent from bhlive. I actually went on to their website to see if there were any notices re spam at all, but there's nothing.

    I also checked the seats that I had purportedly purchased, and they are indeed not available as if they've been sold to me.

    The only thing that set alarm bells ringing is that I don't actually have a MasterCard ending with 7006!!

    ReplyDelete
  5. best looking email for virus delivery received for a long time and seems to be getting through alot of anti-spam and mail virus scanners.

    ReplyDelete
  6. Yeah we run Sophos Pure Message and the last few weeks or so, we're seeing FAR more filters getting through to our users.

    Thanks for the message. Was worrying for us as we are local to the area so lots of our staff will have used BHLive.

    ReplyDelete
  7. Thanks for pointing this out, got one today, only suspicious bit (apart from the fact I hadn't booked the tickets) was that I got it twice, reassuring your blog came up high on google so now safely deleted, best, Jack

    ReplyDelete
  8. Just received one of these this morning. As I know I didn't book tickets (not there - I'm no where near the area!), and don't have a Mastercard, I assumed it to be a virus attachment.

    But, on the off-chance it was an error, I still tried to phone / e-mail BH Live to confirm - only to find their 'phone queue' is full, and the e-mail (address on their actual website) came back as 'undeliverable'!

    ReplyDelete
  9. Thanks for that info, thought someone had cloned my credit card which I assume is the idea. Glad the Yahoo Mail stuck this in spam but still nearly convinced until I saw a ZIP attachment.

    ReplyDelete
  10. They are definitely not coming from BH Live, the originating IPs are from hacked machines worldwide (e.g. Korea, Vietnam etc).

    Spam filtering is having a problem keeping up with them, some have been blocked, quite a lot haven't.

    ReplyDelete
  11. Cheers for this info. Always worth Googling it when something like this turns up. Someone somewhere has usually received the same spam.

    ReplyDelete
  12. I just got one too. Very worried as my bag / cards were stolen a short while ago, but glad to see it isn't someone hacking in to my account.

    ReplyDelete
  13. Thanks for making this blog post, I think it will help a lot of people!

    Definitely one of the more convincing e-mails of this nature that I've seen.

    ReplyDelete
  14. Thank you for this help. I have been panicking and trying to call BH lIve. Its actually got my correct details including correct last 4 digits of credit card too. Barclaycard were useless when I phoned them; they confirmed no money taken yet, but asked me to be cautious when I purchase?? They seemed to think I had actually given my details to BH live, but think they did not understand my plight.

    Do other people have the correct last 4 card digits showing in the email?

    ReplyDelete
  15. Yeah, I just received one too. I'm pretty internet/scam email savy, however this is the most convincing one I've seen! Thank you for posting this.

    ReplyDelete
  16. Thank you for this help
    i m french user and Just received this spam myself.

    ReplyDelete
  17. They are good eh! Very genuine and worrying. They are bound to have caught a lot of people out. Thanks for the blog which confirmed what I had already thought.

    ReplyDelete
  18. Incidentally, every single sample I have seen has the credit card number ending in 7006. So if you card *does* end in this number then it is especially convincing, but just a coincidence.

    ReplyDelete
  19. Yes
    GFS received one this am
    No phone were answered at venues
    making it more suspicious

    ReplyDelete
  20. I just received one of these, and was worried that it was something to do with identity theft so opened it and read through etc.
    Will my system now have the virus? If anyone can shed any light on this I'd appreciate it.

    ReplyDelete
  21. Just had this through this morning. Looks legit but, I knew I hadn't made the purchase. And certainly not from the email address they sent it to.

    ReplyDelete
  22. Yep, I also got this. It's a hoax. Do not open any attachments or ring any of the numbers on there.

    ReplyDelete
  23. @Nicola: you will probably be infected if you downloaded, unzipped and ran the attachment (if you are using a PC).

    ReplyDelete
  24. Thanks for the info, very worrying as I did have a credit card ending 7006 but it was cloned about a year ago. Tried to call the number on the email which incidentally is the same as the number on the website so all very official looking, but a recorded message said that the queue was too long and I had to call back !

    ReplyDelete
  25. Alot of these coming through to my domain thismorning - Pure Message has blocked some, and allowed others through.

    ReplyDelete
  26. @Conrad: Thanks for your reply, I use a Mac.

    I only opened the email to read, I didn't open any attachments, hopefully will be ok.

    ReplyDelete
  27. Thank you for this - I just got this scam. Not picked up by the anti spam system on Mcafee.

    ReplyDelete
  28. Thanks for info. I just made sure that the credit card number wasn't mine!

    ReplyDelete
  29. Just also received a confirmation for my e-ticket on 23rd Dec for peter Pan. Could be very crowded! Will forward to my Neighbourhood Watch team.

    ReplyDelete
  30. Thanks for the post, yours is one of the only useful comments out there for this currently :)

    ReplyDelete
  31. I have receive several of these today together with a number of colleagues using the same domain extension for the email accounts.

    ReplyDelete
  32. I live in Belgium and got one about 30 minutes ago...
    As I don't have Mastercard and live miles away from Bournemouth it became obvious rather quickly that this was dangerous to open...
    So I tried to phone, found out there were 39 people before me and ended up her after some web searching.
    Glad to know what it is all about now.
    I am going to run a virus scan and clean my register just to be on the safe side anyway...
    Wonder how the got my email-adress?...

    ReplyDelete
  33. I received one of these this morning and by chance, I was actually visiting Bournemouth, so it was especially confusing... also it came to my work email, which I don't generally use for anything personal... any ideas where they are getting the email addresses from?

    ReplyDelete
  34. I got several of these on email accounts of my own domain, which I only used to create dropbox accounts. So I suspect dropbox is the source for the SPAM mailing list. Some of these email address I have never received emails for apart from the original setup of the dropbox account.

    ReplyDelete
  35. Just got the same e-mail too. Again, dubious as I didn't have an e-mail ending 7006 and I have never shown any desire to watch this production of Peter Pan, fantastic though it may be. Tried to e-mail back (and the contact e-mail on the Bournemouth pavilion website) and unsurprisingly got a delivery failure from this address.
    This is going to sound really basic but what are the dangers from even opening this e-mail, I didn't open the attachments?

    ReplyDelete
  36. I got the same email.

    As an almost infallible rule, if you receive an acknowledgement of an order that you haven't placed, especially from a company with which you have had not dealings, it is almost certainly a scam or worse, e.g. if you click an attachment some malware will be placed on your computer. If you receive any email with an attachment, unless you are 100% sure of its provenance and genuineness, do not click on it. If you think it may be genuine, phone the alleged sender (not using a phone number on the possibly dodgy email but only a phone number from a reliable source or one that you already have) and find out from them if it is genuine.

    ReplyDelete