Sponsored by..

Showing posts sorted by date for query sage. Sort by relevance Show all posts
Showing posts sorted by date for query sage. Sort by relevance Show all posts

Friday, 25 August 2017

Malware spam: "Your Sage subscription invoice is ready" / noreply@sagetop.com

This fake Sage invoice leads to Locky ransomware. Quite why Sage are picked on so much by the bad guys is a bit of a mystery.

Subject:       Your Sage subscription invoice is ready
From:       "noreply@sagetop.com" [noreply@sagetop.com]
Date:       Thu, August 24, 2017 8:49 pm

Dear Customer

Your Sage subscription invoice is now ready to view.

Sage subscriptions

To view your Sage subscription invoice click here 

Got a question about your invoice?

Call us on 0845 111 6604

If you're an Accountant, please call 0845 111 1197
If you're a Business Partner, please call 0845 111 7787

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service
message, not a marketing communication. This email was sent from an address that
cannot accept replies. Please use the contact details above if you need to get in
touch with us.

The link in the email downloads a malicious RAR file. The samples I saw were closely clustered alphabetically.

helpmatheogrow.com/SINV0709.rar
hendrikvankerkhove.be/SINV0709.rar
heinverwer.nl/SINV0709.rar
help.ads.gov.ba/SINV0709.rar
harvia.uz/SINV0709.rar

The RAR file itself contains a malicious VBS script that looks like this [pastebin] with a detection rate of 19/56, which attempts to download another component from:

go-coo.jp/HygHGF
hausgerhard.com/HygHGF
hausgadum.de/HygHGF
bromesterionod.net/af/HygHGF
hartwig-mau.de/HygHGF
hecam.de/HygHGF
haboosh-law.com/HygHGF
hbwconsultants.nl/HygHGF
hansstock.de/HygHGF
heimatverein-menne.de/HygHGF

Automated analysis of the file [1] [2] shows a dropped binary with a 39/64 detection rate, POSTing to 46.183.165.45/imageload.cgi  (Reg.Ru, Russia)

Recommended blocklist:
46.183.165.45




Thursday, 17 November 2016

Malware spam: "Sage Invoice [service@sage-invoices.com]" / "Outdated Invoice" leads to Trickbot

This fake financial spam leads to the Trickbot banking trojan.

From:    Sage Invoice [service@sage-invoices.com]
Date:    17 November 2016 at 10:54
Subject:    Outdated Invoice

This is a customer service e-mail from © Sage (UK) Limited to [redacted]
   
Sage Invoice Payments
Outdated Invoice

You have an outdated invoice from Sage Invoice Payments that needs your attention. To find out more details on this invoice, please see the enclosed document attached to this email.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.
This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Attached is a malicious Word document named SageInvoice.doc with a detection rate of 3/54. Hybrid Analysis shows malicious network traffic to:

substan.merahost.ru/petrov.bin  [185.86.77.224] (Mulgin Alexander Sergeevich aka gmhost.com.ua, Ukraine)

A malicious file scsnsys.exe is dropped with a detection rate of 8/53.

The domain sage-invoices.com has been registered by criminals for this action, presumably to allow encrypted end-to-end communication. The no doubt fake WHOIS details are:

Registry Registrant ID: Not Available From Registry
Registrant Name: Antonio Padula
Registrant Organization: Weighpack Systems Inc
Registrant Street: 5605 Rue Cypihot
Registrant City: Saint Laurent
Registrant State/Province: Quebec
Registrant Postal Code: H4S 1R3
Registrant Country: CA
Registrant Phone: +1.5144243344
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: test@orasore.com


I recommend that you block traffic from that domain or check your filters to see who may have it.

Recommended blocklist:
sage-invoices.com [email]
185.86.77.0/24

Thursday, 11 February 2016

Malware spam: "Your Sage Pay Invoice INV00318132" / Sagepay EU [accounts@sagepay.com]

This spam does not come from Sage Pay but is instead a simple forgery with a malicious attachment:

From:    Sagepay EU [accounts@sagepay.com]
Date:    11 February 2016 at 13:21
Subject:    Your Sage Pay Invoice INV00318132


Please find attached your invoice.

We are making improvements to our billing systems to help serve you better and because of that the attached invoice will look different from your previous ones.  You should have already received an email that outlined the changes, however if you have any questions please contact accounts@sagepay.com or call 0845 111 44 55.

Kind regards

Sage Pay
0845 111 44 55
Attached is a file INV00318132_V0072048_12312014.xls which appears to come in a wide variety of different versions (at least 11). The VirusTotal detection rate for a subset of these is 4/54 [1] [2] [3] [4] [5] [6]. Only a single Malwr report seemed to work, indicating the macro downloading from:

www.phraseculte.fr/09u8h76f/65fg67n

This dropped executable has a detection rate of 3/54. The Malwr report shows it phoning home to:

84.38.67.231 (ispOne business GmbH, Germany)

I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.

Tuesday, 12 January 2016

Malware spam: "Copy of our CREDIT NOTE number 00000962064" / "SANTAN [sfernandes@simplesimon.co.uk]"

This fake financial spam has a malicious attachment:
From:    SANTAN [sfernandes@simplesimon.co.uk]
To:    POLLY [olga@bayley-sage.co.uk]
Date:    12 January 2016 at 10:55
Subject:    Copy of our CREDIT NOTE number 00000962064

This message contains 1 pages in Microsoft Word format.
Both the "From" and "To" fields are fake. Attached is a document fax00065189.doc that I have seen two versions of (VirusTotal results [1] [2]). The Malwr reports for those two files [3] [4] show that this is trying to deliver the Dridex banking trojan, as described here.

Monday, 21 September 2015

Malware spam: "Your Sage subscription invoice is ready" / "noreply@sage.com"

This fake Sage email contains a malicious attachment.

From:    noreply@sage.com [noreply@sage.com]
Date:    21 September 2015 at 11:30
Subject:    Your Sage subscription invoice is ready

Dear Ralph Spivey

Account number: 45877254

Your Sage subscription invoice is now online and ready to view.

Sage One subscriptions

    Please follow the link bellow to view/download your account invoice: http://www.sageone.co.uk/

Got a question about your invoice?

Call us on 1890 88 5045

If you're an Accountant, please call 1890 92 21 06
If you're a Business Partner, please call 1890 94 53 85

Kind Regards

The Sage UK Subscription Team

Please note: There is no unsubscribe option on this email, as it is a service message, not a marketing communication. This email was sent from an address that cannot accept replies. Please use the contact details above if you need to get in touch with us.

The link in the email actually goes to a download location at Cubby rather than sageone.co.uk, this downloads a file invoice.zip which in turn contains a malicious executable invoice.scr which has a VirusTotal detection rate of 1/56. The Hybrid Analysis report shows that this is Upatre dropping the Dyre banking trojan, and one key indication of infection is traffic to the IP 197.149.90.166 in Nigeria.

Thursday, 2 April 2015

Malware spam: "Sage Invoice [invoice@sage.com]" / "Outdated Invoice"

This fake financial email is not from Sage but is a simple forgery that leads to malware.

From:    Sage Invoice [invoice@sage.com]
Date:    2 April 2015 at 12:24
Subject:    Outdated Invoice

Sage Logo



 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25,
Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

The link in the email does not in face go to Sage, but it downloads a file from hightail.com. The payload is identical to the one used in this concurrent spam run.

Friday, 17 October 2014

Sage "Outdated Invoice" spam spreads malware via cubbyusercontent.com

This fake Sage email spreads malware using a service called Cubby, whatever that is.

From:     Sage Account & Payroll [invoice@sage.com]
Date:     17 October 2014 10:28
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?864394=Invoice_032414.zip


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Despite appearances, the link in the email (in this case) actually goes to https://www.cubbyusercontent.com/pl/Invoice_032414.zip/_8deb77d3530f43be8a3166544b8fee9d and it downloads a file Invoice_032414.zip. This in turn contains a malicious executable Invoice_032414.exe which has a VirusTotal detection rate of 3/53. The Malwr report shows HTTP conversations with the following URLs:

http://188.165.214.6:15600/1710uk3/HOME/0/51-SP3/0/
http://188.165.214.6:15600/1710uk3/HOME/1/0/0/
http://188.165.214.6:15600/1710uk3/HOME/41/5/1/
http://tonysenior.co.uk/images/IR/1710uk3.osa


188.165.214.6 is not surprisingly allocated to OVH France. In turn, it drops an executable bcwyw.exe (VT 6/54, Malwr report) which communicates with 66.102.253.25 (a China Telecom address located in the US in a Rackspace IP range) and also moxbk.exe (VT 1/52, Malwr report).

Recommended blocklist:
188.165.214.6
66.102.253.25
tonysenior.co.uk

Thursday, 25 September 2014

Malware spam: RBS "BACS Transfer" / Sage "Outdated Invoice" / Lloyds "Important - Commercial Documents" / NatWest "Important - New account invoice"

There seems to be a very aggressive spam run this morning, with at least four different email formats pushing the same malicious download.

RBS / Riley Crabtree: "BACS Transfer : Remittance for JSAG814GBP"

From:     Riley Crabtree [creditdepart@rbs.co.uk]
Date:     25 September 2014 10:58
Subject:     BACS Transfer : Remittance for JSAG814GBP

We have arranged a BACS transfer to your bank for the following amount : 4946.00
Please find details at our secure link below:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html

Sage Account & Payroll: "Outdated Invoice"

From:     Sage Account & Payroll [invoice@sage.com]
Date:     25 September 2014 10:53
Subject:     Outdated Invoice

Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?928143=Invoice_092514.zip

If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.

Lloyds Commercial Bank: "Important - Commercial Documents"

From:     Lloyds Commercial Bank [secure@lloydsbank.com]
Date:     25 September 2014 11:36
Subject:     Important - Commercial Documents

Important account documents

Reference: C400
Case number: 05363392
Please review BACs documents.

Click link below, download and open document. (PDF Adobe file)
----------------------
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html
-----------------------

Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager. .

Yours faithfully

James Vance
Senior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email. 

NatWest Invoice: "Important - New account invoice

From:     NatWest Invoice [invoice@natwest.com]
Date:     25 September 2014 10:28
Subject:     Important - New account invoice

Your latest NatWest invoice has been uploaded for your review. If you have any questions regarding this invoice, please contact your NatWest service team at the number provided on the invoice for assistance.
To view/download your invoice please click here or follow the link below :

https://www.nwolb.com/ServiceManagement/InvoicePageNoMenu.aspx?InvoiceCode=Invoice_232449


Thank you for choosing NatWest.

Important: Please do not respond to this message. It comes from an unattended mailbox.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

The Royal Bank of Scotland International Limited trading as NatWest (NatWest). Registered Office: P.O. Box 64, Royal Bank House, 71 Bath Street, St. Helier, Jersey JE4 8PJ. Regulated by the Jersey Financial Services Commission.
The links in the emails go to different download locations to make it harder to block:

http://shetabweb.com/bvqsyphiwq/cdddcetuex.html
http://convergika.com/atlbhffykf/rdtlixjoot.html
http://calastargate.net/iqfhtfqinv/ybzhlpbjkh.html
http://fantastyka.nets.pl/irdmewoars/jyfiqmcojv.html


There are probably many, many more locations. In each case the page then downloads the victim to download file Invoice_09252014.zip from the same directory as the html file.

This ZIP file contains a malicious executable Invoice_09252014.scr which currently has a VirusTotal detection rate of 3/54. The Anubis report shows that it phones home to ukrchina-logistics.com which is probably worth blocking or monitoring access to.


Monday, 15 September 2014

Sage "Outdated Invoice" spam

Another day, another fake Sage email leading to malware:

From:     Sage Invoice [invoice@sage.com]
Date:     15 September 2014 12:08
Subject:     Outdated Invoice

Sage Logo
 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

https://invoice.sage.co.uk/Account?336541=Invoice_090914.zip


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25, Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
In the sample I had, the link in the email went to:

[donotclick]flashsavant.com/fauvugalwr/czkyfybjyt.html

which then attempted to load scripts from:

[donotclick]vicklovesmila.com/tpfkmryrfl/jjbyrihwib.js 
[donotclick]coursstagephoto.com/hmgjmyuliz/tbjzpxgspx.js 

which in turn downloads an archive file from:

[donotclick]www.florensegoethe.com.br/emailmmkt/Invoice18642.zip
[donotclick]petitepanda.net/emailmmkt/Invoice18642.zip

This ZIP file contains a malicious executable Invoice18642.scr which has a VirusTotal detection rate of just 1/55. The ThreatTrack report [pdf] shows that it attempts to communicate with the following resources:

188.165.204.210/1509uk1/NODE01/0/51-SP3/0/
188.165.204.210/1509uk1/NODE01/1/0/0/
green-fuel.us/upload/box/1509uk1.ltc
www.green-fuel.us/upload/box/1509uk1.ltc


Recommended blocklist:
188.165.204.210
green-fuel.us
petitepanda.net
florensegoethe.com.br
coursstagephoto.com
vicklovesmila.com
flashsavant.com





Tuesday, 9 September 2014

Sage "Outdated Invoice" spam

This fake Sage email leads to a malicious file.

From:     Sage Account & Payroll [invoice@sage.com]
Date:     9 September 2014 13:31
Subject:     Outdated Invoice
Sage Logo
 Sage Account & Payroll

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:


If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to [redacted]. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies.

We have communicated this information with users as well, and we will continue to communicate with you through email as your transition continues.

This email was sent to: [redacted]

This email was sent by: Sage UK Limited
NC1-002-08-25,
Newcastle upon Tyne., North Park, NE13 9AA, United Kingdom

Privacy and Security
Keeping your financial information secure is one of our most important responsibilities. For an explanation of how we manage customer information, please read our Privacy Policy. You can also learn how Sage UK Limited keeps your personal information secure and how you can help protect yourself.
The link in the email does not go to invoice.sage.co.uk at all, but loads a page from:
[donotclick]anphucconduit.com/cslxpnzwzg/jnxxblpzjn.html

which in turn executes the following scripts:
[donotclick]lager.leadhoster.com/jflguwjgdk/rqkypcjgqt.js
[donotclick]northinc.com/mlfbxurfhn/pctxizxtfd.js
[donotclick]www.drhousesrl.it/lpwfszqqjt/gttigxxhme.js
[donotclick]mariatome.myartsonline.com/ykfmbdqqrm/jgawguxmub.js

those scripts attempt to download a malicious .ZIP file from the following locations:
[donotclick]cartadegintonics.com/js/jquery/invoice_090914.zip
[donotclick]anpilainate.org/bin/invoice_090914.zip
[donotclick]raggiottoimpianti.it/wp-content/uploads/2014/08/invoice_090914.zip
[donotclick]importedjewelryoutlet.com/include/invoice_090914.zip


You would have expected an exploit kit after all this hard work, but not.. it's a plain old ZIP (invoice_090914.zip) file containing a malicious executable invoice_090914.scr which has a VirusTotal detection rate of 8/55.

The ThreatTrack report [pdf] and Anubis report show that the malware attempts to make a connection to:
vaderhopland.be/js/9k1.cl
95.141.37.158/0909uk1/NODE01/0/51-SP3/0/
95.141.37.158/0909uk1/NODE01/1/0/0/
95.141.37.158/0909uk1/NODE01/41/5/4/


Recommended blocklist:
95.141.37.158
vaderhopland.be
anphucconduit.com
lager.leadhoster.com
northinc.com
drhousesrl.it
mariatome.myartsonline.com
cartadegintonics.com
anpilainate.org
raggiottoimpianti.it
importedjewelryoutlet.com


Thursday, 4 September 2014

sage.co.uk "Invoice_7104304" spam

This fake invoice from Sage is actually a malicious PDF file:
From:     Margarita.Crowe@sage.co.uk [Margarita.Crowe@sage.co.uk]
Date:     23 July 2014 10:31
Subject:     FW: Invoice_7104304

Please see attached copy of the original invoice (Invoice_7104304).
Attached is a file sage_invoice_3074381_09042014.pdf which is identical to the payload for this Companies House spam circulated earlier.

Tuesday, 20 May 2014

Fake Sage Invoice spam leads to malware

This fake Sage spam leads to malware:

Date:      Tue, 20 May 2014 09:20:53 +0100 [04:20:53 EDT]
From:      Sage [Wilbur.Contreras@sage-mail.com]
Subject:      FW: Invoice_6895366

Please see attached copy of the original invoice (Invoice_6895366). 

Attached is an archive file Invoice6895366.zip which in turn contains a malicious executable Invoice200522014.scr which has a VirusTotal detection rate of 8/52.

The Malwr analysis shows that it then goes on to download further components from [donotclick]protecca.com/fonts/2005UKdp.zip some of which are:
 These appear to be part of a peer-to-peer Zbot infection.

Tuesday, 8 April 2014

Sage "Please see attached copy of the original invoice" spam

This fake Sage spam comes with a malicious attachment:

Date:      Tue, 8 Apr 2014 08:65:82 GMT
From:      Sage [Merrill.Sterling@sage-mail.com]
Subject:      RE: BACs #3421309

Please see attached copy of the original invoice. 

Attached is a file BACs-3421309.zip which in turn contains a malicious executable BACs-040814.exe which has a VirusTotal detection rate of 10/51.

The Malwr analysis shows that it attempts to download a configuration file from [donotclick]hemblecreations.com/images/n0804UKd.dim and then it attempts to connect to a number of other domains and IP addresses.

Recommended blocklist:
50.116.4.71
aulbbiwslxpvvphxnjij.biz
twplfztldagaydcacebqpypm.net
aidyhnzrkqomndihmttglrcmpf.com
jnojswlbzdxondfahwgbmluyl.ru
wcaebnfwljamemlzhqwqsovzlfq.com
skirtrslbtjrjfphemnnjqowuus.biz
uobihirghyscvswgwolneuscyamh.org
hvchqgyzfitaiugmbmifdwclrk.info
hemblecreations.com

Saturday, 1 February 2014

African Human Right and Refugees Protection Council (AHRRPC) scam

This spam email is actually part of an advanced fee fraud setup:

From:     fernando derossi fernandderossi59@gmail.com
To:     fernandderossi59@gmail.com
Date:     1 February 2014 13:22
Subject:     URGENT FOOD STUFF SUPPLY NEED FOR REFUGEES
Signed by:     gmail.com

Dear Sir:

My company has been mandated to look for a company capable of
supplying food stuffs product listed bellow by the  AFRICAN HUMAN
RIGHT AND REFUGEES PROTECTION COUNCIL (AHRRPC) for  assisting of the
refugee within the war affected countries IN middle east and Africa
like MALI,SYRIA, SOMALIA, CENTRAL AFRICA, and SOUTH SUDAN, which after
going through your company's profile, have decided to know if your
company is interested.

            Below are the list of food Stuffs and the targeted value
needed by (AHRRPC)

1.  Rice
2.  Beans
3.  Milk powder
4.  Sugar
5.  Vegetable Oil
6.  Used Cloths
7.  Wheat Flour
8.  White corn meal
9.  Corn Cooking oil
10. Cumin seed oil
11. Ground nut
12. Sage Oil
13. Soya bean oil
14. Palm oil
15.  Fresh Vegetables
16.  Fresh fruits
17.  Cocoa powder.

We will be happy to work with you company only as representing agent
to secure an allocation for your company while in return your company
will give us comission as soon as your receive your contract value. We
will give you more details about the contract when we recieve your
reply.

Regards,

Mr.Fernando Derossi
AHRRPC AGENT
Website:www.ahrrpc.8k.com
Bamako-Mali in West Africa.
The email links to a website at www.ahrrpc.8k.com which set off all sorts of alarms on my virus scanner, but I think it is just an ad-laden free web hosting site, and purports to be from the African Human Right and Refugees Protection Council (AHRRPC).


Of course, there is no such organisation as this and probably the main thrust of the scam is that there will be an "arrangement fee" payable in order to sell these goods.. and once the fee is paid the scammers will disappear.

One thing that I noticed is that "Mr Fenando Derossi" has a Google+ profile.. so is it a case the the Google account has been hijacked? Well, a simple way to find out is to take the image and upload it to Google Images (by clicking the little camera icon). That gives several positive matches for the photo which has been stolen from a French model and actor called Jean-Georges Brunet. In fact, poor Monsieur Brunet has had his picture stolen before for other types of scam.

Give any approaches from the so-called African Human Right and Refugees Protection Council (AHRRPC) a very wide berth. And remember, if you want to verify who a photo actually belongs to then Google Images is an excellent resource.

Monday, 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:

Date:      Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From:      Payroll Reports [payroll@sage.co.uk]

Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.

Sincerely,
Bernice Swanson

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. 
Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.

This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.

Tuesday, 16 December 2008

"IE 7 users: stop looking at porn now!"


This zero day vulnerability in Internet Explorer has already been very widely publicised. There are no effective workarounds for the problem until Microsoft patch it.. apart from using a different browser.

The aptly named Zero Day blog has this sage piece of advice: "IE 7 users: stop looking at porn now!" Simply put, randomly surfing for smut, warez, illegal torrents or anything like that* is likely to infect your machine if you are running IE.

In fact, because there's no such thing as a safe site you should consider ditching IE altogether. If you're running Windows then probably one of the safest things you can do is get Firefox, add the NoScript extension and then ensure that your PC is fully up-to-date by using the Secunia Software Inspector. Even security firms such as CA and Trend Micro have had their sites compromised to serve up malware in the past, so you can never be to careful...

* or Myspace.. or Facebook..