Sponsored by..

Monday 8 September 2014

BH Live Tickets "Peter Pan" spam (bhlive.co.uk / bhlivetickets.co.uk)

I have seen a very large quantity of these spam emails, purporting to be from

From:     bhlivetickets@bhlive.co.uk
Date:     8 September 2014 08:43
Subject:     Confirmation of Order Number 484914
Order Number Order Date
484914 07-09-2014 13:00

YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event.
The attachment requires that you have the Adobe Acrobat Reader installed on your computer. If you do not have Adobe Acrobat Reader installed, please click HERE to download and install this program.
Peter Pan
Bournemouth Pavilion Theatre
Tue 23 Dec 2014 - 7:00 PM
3 Early Bird - Price A 18.00 54.00
6 Early Bird Child Under 16 - Price A 15.00 90.00
Ticket Information
Circle/A 35-30 (6) , Circle/B 33-31 (3)

Print At Home - E-Ticket(s) are attached to this order confirmation (You must be able to open and print a PDF file) 1.00

Mastercard Sale ************7006 03-09-2014 13:00 145.00
Please keep this confirmation in a safe place.
Please call 0844 576 3000 if there are any errors in your order, if you have not received your tickets as expected, or if you have any questions.

BH Live Tickets
Exeter Road, Bournemouth, BH2 5BH
Tel: 0844 576 3000
VAT Reg: 108 2248 37
TICKETS: 144.00
TOTAL: 145.00

These emails are not from BH Live Tickets and their systems have not been compromised in any way. Instead, these emails are a forgery with an attachment (tickets.3130599.zip or similar) which in turn contains a malicious executable (in this case tickets.332091.exe).

The VirusTotal detection rate for this malware is just 3/55. Comodo CAMAS reports that this downloads an additional component from tiptrans.com.tr/333 which has a VirusTotal detection rate of 4/51.

According to ThreatExpert, This second component POSTs some information to (OVH, France) and also appears to contact (National Academy Of Sciences Of Belarus).

Recommended blocklist: (updates in italics)

Added: there is at least one other version of the malicious binary, for example this one.  I have seen some reports that there are more.

UPDATE 2014-09-09:
A second spam run is in progress, essentially the same as the first one except some now have a subject in the form "Confirmation of E-Tickets Order Number 0088658".

There are two new binaries, well detected by anti-virus products with a VirusTotal score of 27/55 and 25/54.

In one case the binary downloaded an additional component from plancomunicacion.net/333  which has a detection rate of 25/54 and according to the ThreatExpert report has the same characteristics as before.

Also, the people operating BH Live have put a notice on their website.:

Concerns raised over emails purporting to be from BH Live Tickets
Published on 8 September 2014

Bournemouth, UK, 8 September – At approximately 7.30 this morning BH Live started to receive a high-volume of calls from members of the public in connection with an email purporting to come from BH Live Tickets. The email contains attachment(s) and hyperlinks relating to a booking for Peter Pan.

BH Live's Information Security teams together with information technology professionals and suppliers have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known SPAM IP addresses. The emails are not genuine and do not originate from BH Live. A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.

The public is advised to delete these emails, to not open any attachments or links; ensure they are running the most up-to-date security products and that the operating system has been updated to the latest version. It is recommended that anyone receiving these emails update their passwords over the coming days.

BH Live continues to monitor the situation and is posting updates via websites and social media channels.


Unknown said...

Thanks for the info. Just received this spam myself. Unnerving as it looks very authentic.

Unknown said...

Yeah, I just received one too. Very convincing. Thank you for posting this.

Unknown said...

Snap ...also worrying that i do have a credit card ending 700

From: bhlivetickets@bhlive.co.uk
Sent: Monday, September 08, 2014 9:25 AM
Subject: Confirmation of Order Number 016738

Unknown said...

Very convincing, and it certainly look like it was sent from bhlive. I actually went on to their website to see if there were any notices re spam at all, but there's nothing.

I also checked the seats that I had purportedly purchased, and they are indeed not available as if they've been sold to me.

The only thing that set alarm bells ringing is that I don't actually have a MasterCard ending with 7006!!

Charlie Clark said...

best looking email for virus delivery received for a long time and seems to be getting through alot of anti-spam and mail virus scanners.

blooey said...

Yeah we run Sophos Pure Message and the last few weeks or so, we're seeing FAR more filters getting through to our users.

Thanks for the message. Was worrying for us as we are local to the area so lots of our staff will have used BHLive.

Unknown said...

Thanks for pointing this out, got one today, only suspicious bit (apart from the fact I hadn't booked the tickets) was that I got it twice, reassuring your blog came up high on google so now safely deleted, best, Jack

Silver said...

Just received one of these this morning. As I know I didn't book tickets (not there - I'm no where near the area!), and don't have a Mastercard, I assumed it to be a virus attachment.

But, on the off-chance it was an error, I still tried to phone / e-mail BH Live to confirm - only to find their 'phone queue' is full, and the e-mail (address on their actual website) came back as 'undeliverable'!

Calco Services - Power Division said...

Thanks for that info, thought someone had cloned my credit card which I assume is the idea. Glad the Yahoo Mail stuck this in spam but still nearly convinced until I saw a ZIP attachment.

Conrad Longmore said...

They are definitely not coming from BH Live, the originating IPs are from hacked machines worldwide (e.g. Korea, Vietnam etc).

Spam filtering is having a problem keeping up with them, some have been blocked, quite a lot haven't.

WatDabney said...

Cheers for this info. Always worth Googling it when something like this turns up. Someone somewhere has usually received the same spam.

KS said...

I just got one too. Very worried as my bag / cards were stolen a short while ago, but glad to see it isn't someone hacking in to my account.

Tom said...

Thanks for making this blog post, I think it will help a lot of people!

Definitely one of the more convincing e-mails of this nature that I've seen.

Michele said...

Thank you for this help. I have been panicking and trying to call BH lIve. Its actually got my correct details including correct last 4 digits of credit card too. Barclaycard were useless when I phoned them; they confirmed no money taken yet, but asked me to be cautious when I purchase?? They seemed to think I had actually given my details to BH live, but think they did not understand my plight.

Do other people have the correct last 4 card digits showing in the email?

Unknown said...

Yeah, I just received one too. I'm pretty internet/scam email savy, however this is the most convincing one I've seen! Thank you for posting this.

olivier said...

Thank you for this help
i m french user and Just received this spam myself.

Unknown said...

They are good eh! Very genuine and worrying. They are bound to have caught a lot of people out. Thanks for the blog which confirmed what I had already thought.

Conrad Longmore said...

Incidentally, every single sample I have seen has the credit card number ending in 7006. So if you card *does* end in this number then it is especially convincing, but just a coincidence.

Gavin Sandeman said...

GFS received one this am
No phone were answered at venues
making it more suspicious

Unknown said...

I just received one of these, and was worried that it was something to do with identity theft so opened it and read through etc.
Will my system now have the virus? If anyone can shed any light on this I'd appreciate it.

Unknown said...

Just had this through this morning. Looks legit but, I knew I hadn't made the purchase. And certainly not from the email address they sent it to.

Unknown said...

Yep, I also got this. It's a hoax. Do not open any attachments or ring any of the numbers on there.

Conrad Longmore said...

@Nicola: you will probably be infected if you downloaded, unzipped and ran the attachment (if you are using a PC).

Unknown said...

Thanks for the info, very worrying as I did have a credit card ending 7006 but it was cloned about a year ago. Tried to call the number on the email which incidentally is the same as the number on the website so all very official looking, but a recorded message said that the queue was too long and I had to call back !

Alex said...

Alot of these coming through to my domain thismorning - Pure Message has blocked some, and allowed others through.

Unknown said...

@Conrad: Thanks for your reply, I use a Mac.

I only opened the email to read, I didn't open any attachments, hopefully will be ok.

LHL said...

Thank you for this - I just got this scam. Not picked up by the anti spam system on Mcafee.

Unknown said...

Thanks for info. I just made sure that the credit card number wasn't mine!

Roger said...

Just also received a confirmation for my e-ticket on 23rd Dec for peter Pan. Could be very crowded! Will forward to my Neighbourhood Watch team.

Tim Clarke said...

Thanks for the post, yours is one of the only useful comments out there for this currently :)

Independent Slitters said...

I have receive several of these today together with a number of colleagues using the same domain extension for the email accounts.

Alex said...

I live in Belgium and got one about 30 minutes ago...
As I don't have Mastercard and live miles away from Bournemouth it became obvious rather quickly that this was dangerous to open...
So I tried to phone, found out there were 39 people before me and ended up her after some web searching.
Glad to know what it is all about now.
I am going to run a virus scan and clean my register just to be on the safe side anyway...
Wonder how the got my email-adress?...

mike pazda said...

I received one of these this morning and by chance, I was actually visiting Bournemouth, so it was especially confusing... also it came to my work email, which I don't generally use for anything personal... any ideas where they are getting the email addresses from?

ictari said...

I got several of these on email accounts of my own domain, which I only used to create dropbox accounts. So I suspect dropbox is the source for the SPAM mailing list. Some of these email address I have never received emails for apart from the original setup of the dropbox account.

Unknown said...

Just got the same e-mail too. Again, dubious as I didn't have an e-mail ending 7006 and I have never shown any desire to watch this production of Peter Pan, fantastic though it may be. Tried to e-mail back (and the contact e-mail on the Bournemouth pavilion website) and unsurprisingly got a delivery failure from this address.
This is going to sound really basic but what are the dangers from even opening this e-mail, I didn't open the attachments?

johnnb said...

I got the same email.

As an almost infallible rule, if you receive an acknowledgement of an order that you haven't placed, especially from a company with which you have had not dealings, it is almost certainly a scam or worse, e.g. if you click an attachment some malware will be placed on your computer. If you receive any email with an attachment, unless you are 100% sure of its provenance and genuineness, do not click on it. If you think it may be genuine, phone the alleged sender (not using a phone number on the possibly dodgy email but only a phone number from a reliable source or one that you already have) and find out from them if it is genuine.