"Morupule Coal Mine" malware spam

This fake invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.

From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date:     27 August 2014 10:43
Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14

Hello ,   

Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.

Thank you      
Regards

Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine
Private Bag 35
Palapye,Botswana
Tel:  +267 494 1204
Cell: +267 71373569
Fax:  +267 4920643


Debswana Diamond Company Email Disclaimer: The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and the sender cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments.

Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a hacked machine in India.

The attachment has a VirusTotal detection rate of 5/54. My PDF-fu isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious.

Scam: "brunerinvestment.com" is not The Brunner Investment Trust PLC

This simple spam is backed up by a fairly sophisticated fake website.

From:     brunner investment [investment@brunner.com]
Reply-To:     brunnerinvestment@gmail.com
To:     50
Date:     24 July 2014 12:08

Dear

The Brunner Trust PLC, is working on expanding its international portfolio Globally and financing projects in form of debt financing from the tune of $1million to $500million,
we also offer personal and business loans from the tune of $100,000 USD to $1,000,000.00 USD

We would be happy to receive an Executive summary to see if you have any Viable project we can finance and partner together
by making financial investment in Form of soft loans.

Email your projects summary to us at: info@brunerinvestment.com

Regards,
Stefan Hofrichter
Chief Economist and Head of Global Economics & Strategy

The Brunner Investment Trust PLC is a real organisation with a website at brunner.co.uk - the domain that the spammers are soliciting replies to is brunerinvestment.com (note the missing "n" in "brunner"). It was registered on 31st May 2014 with anonymous WHOIS details.

This is the real Brunner Invesment Trust site:

And this is the fake one:

The differences are subtle:

Of course the main purpose of the web site is to encourage you to think that you are talking to a real person, to which end the contact details are completely fake:

Although the postal address is correct, the rest of the details are fake:

Brunner Investment Trust Plc
199 Bishopsgate,
London, EC2M 3TY
Tel:+44 703 195 6304
Tel/Fax: +44 745 227 1933
Email: info@brunerinvestment.com
brunnerinvestment@gmail.com

The telephone numbers quotes appear to be "follow me anywhere" numbers that forward to another number, which could be anywhere in the world.

So what's the scam? Well, there's probably an up-front fee to even discuss financing.. and if it's like this recent scam it could be tens of thousands of dollars. Of course, there is no financing available (remember that this is a fake site, not the Brunner Investment Trust) and once the scammers have your money they will vanish.

I note as well that the site is fairly well done although somewhat buggy (and it randomly pops up adverts) which looks rather like the same cloned websites I discussed earlier this month.

Some technical details for this - the site is hosted on 93.188.160.4 which is allocated to Hostinger International in Lithunia (although the servers might be in Amsterdam). The spam originates from 168.167.134.124 (Botswana Telecommunications Corporation) via an unknown mail relay on 82.105.253.84 (Telecom Italia, Verona, Italy).

Avoid.