Sponsored by..

Wednesday 20 May 2015

Malware spam: "Sky.com / Statement of Account" and "Voice Mail / You have a new voice" via volafile.io

These two spam runs attempt to download malware from volafile.io. To give the folks at Volafile credit, all the malware I have seen linked to has been taken down. I suspect that the payload is the Dyre banking trojan.

From:    Sky.com [statement@sky.com]
Date:    20 May 2015 at 12:30
Subject:    Statement of account


Please find the statement of account, download and view from the link below:


We look forward to receiving payment for the September invoice as this is now due for payment.


This email, including attachments, is private and confidential. If you have received this email in error please notify the sender and delete it from your system. Emails are not secure and may contain viruses. No liability can be accepted for viruses that might be transferred by this email or any attachment. Wilson McKendrick LLP Solicitors, Queens House, 29 St. Vincent Place, Glasgow G1 2DT Registered in Scotland No. SO303162. Members: Mark Wilson LLB Dip. NP LP Allan T. McKendrick LLB Dip. LP NP.


From:    Voice Mail [Voice.Mail@victimdomain]
Date:    20 May 2015 at 12:11
Subject:    You have a new voice

You are receiving this message because we were unable to deliver it, voice message did not go through because the voicemail was unavailable at that moment.

* The reference number for this message is _qvs5419167125_001

The transmission length was 41
Receiving machine ID : BA9R-DUQUC-TY7T

To download and listen your voice mail please follow the link below: https://dl3.volafile.io/download/rnTYPuYNVEX6Jw/statement_00429114.zip

The link to this secure message will expire in 24 hours. If you would like to save a copy of the email or attachment, please save from the opened encrypted email. If an attachment is included, you will be given the option to download a copy of the attachment to your computer.
volafile.io is a pretty uncommon place to share files, so it might be worth looking at your traffic to see if there have been any unexpected requests to that site.

No comments: