Sponsored by..

Friday 19 September 2014

"NatWest Statement" spam.. yet again.

Poor old NatWest is being spoofed again in this spam run that leads to malware..

From:     NatWest.co.uk [noreply@natwest.com]
Date:     19 September 2014 10:40
Subject:     NatWest Statement

 View Your September 2014 Online Financial Activity Statement

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639

NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001 

In this case, the link in the email goes to www.teli.us/ylojwatayv/hjhgoflpob.html which then downloads a file from the same site at www.teli.us/ylojwatayv/Invoice102740_448129486142_pdf.zip - this in turn unzips to a malicious executable Invoice102740_448129486142_pdf.exe which has a VirusTotal detection rate of 1/55.

Analysis of this binary is still pending.

UPDATE: the Anubis report shows network activity to hallerindia.com on 192.185.97.223. I would suggest that this is a good domain to block.

No comments: