From: Geir Myklebust (DHL NO) [Geir.Myklebust@dhl.com]
Date: 10 September 2014 10:35
Subject: FW: customer acct. no.: 4690086 - invoice 0257241 needs to be paid
Dear Sir.
The attached invoice from Villmarksmessen 2014 has still not been settled.
Please advise as soon as possible.
Thank you and regards,
Geir
Med vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & Events
DHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm
Postboks 154 Leirdal
NO-1009 OSLO
NORWAY
Direct line: + 47 90 95 58 26
Fax: + 47 64 00 71 87
Mobile: + 47 90 78 52 44
Dear Sir.The attached invoice from Villmarksmessen 2014 has still not been settled.Please advise as soon as possible.Thank you and regards,GeirMed vennlig hilsen/ Kind Regards
Geir Myklebust
Product Manager, Avd. Trade Fairs & EventsDHL Global Forwarding (Norway) AS
Avd. Trade Fairs & Events
Messeveien 14
2004 Lillestrøm
Postboks 154 Leirdal
NO-1009 OSLO
NORWAY
Direct line: + 47 90 95 58 26
Fax: + 47 64 00 71 87
Mobile: + 47 90 78 52 44
Attached is a ZIP file of various different names (e.g. invoice_0257241.zip), containing a malicious executable file invoice_3466198.exe which has a VirusTotal detection rate of 3/54.
The Comodo CAMAS report shows an attempted connection to voladora.com/Imagenes/qaws.cab which is currently coming up with a socket error. I would recommend that you block access to that domain. Further analysis is pending, I will update the post if I find more information.
UPDATE: a second malicious binary is doing the round, this time with a detection rate of 2/53. The ThreatTrack report [pdf] and Anubis report shows the malware performing lookups for a variety of domain names [pastebin] which are not currently resolving, but might be worth blocking.


 
 
20 comments:
Started hitting our edge about two hours ago and continues.
Every single one is from the same sender (geir myklebust)
Joe Job?
@Jan, it is very similar in structure to this spam run yesterday. *That* looked like it was copied from a genuine email, and there are components in this that look like they have been copied-and-pasted too. So, I don't think it is a deliberate Joe Job as such, rather they have copied a genuine email to make it look more authentics.
how dare anyone say that their systems have not been breached. Of course they have been breached for Christ sake!!!!
bloody ridiculous
@madaboutpixels - DHL's systems have not been breached. It is just a very good forgery, spammed out to random addresses (mostly who will not be DHL customers).
@Conrad Longmore DHL's systems have been breached. THe email address is not a clone, the email account has been accessed. The address is not masked/cloned
@madaboutpixels, if you check the mail headers then you can see that they do not originate from DHL, but instead from some random compromised PC.
Faking the "From" address in an email is trivially easy, the real origin is in those mail headers.
I suspect that the mail was originally copied from a hacked mailbox and was then turned into a template for the spam, most likely a DHL customers (because there are so many of them).
The addresses the spam was sent "To" are random. I received several on all sorts of odd email addresses, certainly ones that DHL would not have in their customer records.
@madaboutpixels, I made a post about how easy it is to forge emails a while ago here.
Had 2 seperate emails from this "Geir Myklebust" today.
Both had zipped attachments and were obviously infected.
"invoice_0000935.zip (215 KB)" and "invoice_4561880.zip (42 KB).
I believed it almost because I actually got a DHL invoice last month
@Conrad Longmore makes sense. Still I expect that Geir is feeling a bit abused by now :-(
@Jan, I think his mailbox has probably melted down by now!
Yep I got this email just after 1AM here in australia
(Sorry to Bad English)
I got two similiar mail
(maybe) this 4690086 - invoice 0257241,
and
(surely, because i copy them to use search) 05201 - invoice 4348828
at (maybe) 8 hours
and
(surely) 4 hours ago..
and I receive other spam mail at several week too, that's "Morupule Coal Mine".
I don't know why that spam's are sended to me.
I got this email, the attachment was "noname" with no extension and zero bytes. Must of been caught by something along the way, i use Google Apps, MX records setup on my own cPanel server @ byte32.com
@Ashley: Google seems to be blocking the payload by creating a "noname" attachment. If you look click "Show Original" from the drop-down options, you might well see the Base 64 encoded attachment in the section beginning..
Content-Transfer-Encoding: base64
..if you extract that text and run it through a Base 64 decoder you will get the malicious ZIP file. That's the kind of thing you will ONLY ever need to do if you want to collect a sample for analysis though.
What?!?! Fake?!?! I just paid the invoice by credit card....$382.49 down the drain. Will my package still get delivered or was that all fake too??
Guys, please see the below from DHL:
http://www.dhl.co.uk/en/legal/fraud_awareness.html#report_fraud
Action Fraud provide a central point of contact for information about fraud and financially motivated internet crime. You can report your fraud experience onlineExternal Link / New Window or by calling 0300 123 2040. Lines are open Monday to Friday 08:00 – 21:00, Saturday and Sunday 09:00 – 17:00.
I received this email too. I opened it but did not open the attachment. Am I safe? Unsure of all this stuff lol
Post a Comment