Sponsored by..

Wednesday 2 December 2015

Malware spam: "Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014" / "Fuel Card Services [adminbur@fuelcardgroup.com]"

This fake financial spam is not from Fuel Card Services Ltd but is instead a simple forgery with a malicious attachment:

From     Fuel Card Services [adminbur@fuelcardgroup.com]
Date     Wed, 02 Dec 2015 15:31:16 +0300
Subject     Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014

Please note that this message was sent from an unmonitored mailbox which is unable
to accept replies. If you reply to this e-mail your request will not be actioned.
If you require copy invoices, copy statements, card ordering or card stopping please
e-mail support@fuelcardservices.com quoting your account number which can be found
in the e-mail below. If your query is sales related please e-mail info@fuelcardservices.com.


From: adminbur@fuelcardservices.com

Sent: Wed, 02 Dec 2015 15:31:16 +0300
To: hiett@petroldirect.com
Subject: Shell Fuel Card E-bill 0765017 for Account B500101 31/12/2014

Account: B500101

Please find your e-bill 0765017 for 30/10/2015 attached.

To manage you account online please click http://eservices.fuelcardservices.com

If you would like to order more fuel cards please click http://www.fuelcard-group.com/cardorder/shell-burnley.pdf

If you have any queries, please do not hesitate to contact us.


Cards Admin.
Fuel Card Services Ltd

T 01282 410704
F 0844 870 9837
E support@fuelcardservices.com

Supplied according to our terms and conditions. (see http://www.fuelcardservices.com/ebill.pdf).

Please also note that if you cannot open this attachment and are using Outlook Express
 to view your mail you should select Tools / Options / Security Tab and deselect
option marked "Do not allow attachments to be opened that potentially may be a virus".
 All of our outgoing mail is fully virus scanned but we recommend this facility is
re-enabled if you do not use virus scanning software.

The attachment is name ebill0765017.doc and it comes in two different versions. The payload appears to be identical to this spam run earlier today. The payload is the Dridex banking trojan.

No comments: