Sponsored by..

Thursday 25 September 2014

Malware spam: RBS "BACS Transfer" / Sage "Outdated Invoice" / Lloyds "Important - Commercial Documents" / NatWest "Important - New account invoice"

There seems to be a very aggressive spam run this morning, with at least four different email formats pushing the same malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"

From:     Riley Crabtree [creditdepart@rbs.co.uk]
Date:     25 September 2014 10:58
Subject:     BACS Transfer : Remittance for JSAG814GBP

We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link below:


Sage Account & Payroll: "Outdated Invoice"

From:     Sage Account & Payroll [invoice@sage.com]
Date:     25 September 2014 10:53
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Lloyds Commercial Bank: "Important - Commercial Documents"

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     25 September 2014 11:36
Subject:     Important - Commercial Documents

Important account documents

Reference: C400
Case number: 05363392
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

NatWest Invoice: "Important - New account invoice

From:     NatWest Invoice [invoice@natwest.com]
Date:     25 September 2014 10:28
Subject:     Important - New account invoice

Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :


Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
The links in the emails go to different download locations to make it harder to block:


There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.

This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.

No comments: