Sponsored by..

Monday 15 September 2014

Sage "Outdated Invoice" spam

Another day, another fake Sage email leading to malware:

From:     Sage Invoice [invoice@sage.com]
Date:     15 September 2014 12:08
Subject:     Outdated Invoice

Sage Logo
 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?336541=Invoice_090914.zip


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
In the sample I had, the link in the email went to:

[donotclick]flashsavant.com/fauvugalwr/czkyfybjyt.html

which then attempted to load scripts from:

[donotclick]vicklovesmila.com/tpfkmryrfl/jjbyrihwib.js 
[donotclick]coursstagephoto.com/hmgjmyuliz/tbjzpxgspx.js 

which in turn downloads an archive file from:

[donotclick]www.florensegoethe.com.br/emailmmkt/Invoice18642.zip
[donotclick]petitepanda.net/emailmmkt/Invoice18642.zip

This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows that it attempts to communicate with the following resources:

188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel.us/upload/box/1509uk1.ltc
www.green-fuel.us/upload/box/1509uk1.ltc


Recommended blocklist:
188.165.204.210
green-fuel.us
petitepanda.net
florensegoethe.com.br
coursstagephoto.com
vicklovesmila.com
flashsavant.com





No comments: