From: bhlivetickets@bhlive.co.uk
Date: 8 September 2014 08:43
Subject: Confirmation of Order Number 484914
ORDER CONFIRMATION Order Number Order Date 484914 07-09-2014 13:00
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL, SENT TO [redacted]. Please print ALL PAGES of the PDF file attached to the email and bring them with you to gain admission to the event. The attachment requires that you have the Adobe Acrobat Reader installed on your computer. If you do not have Adobe Acrobat Reader installed, please click HERE to download and install this program.
TICKETS QTY TICKET TYPE PRICE EACH TOTAL Peter Pan
Bournemouth Pavilion Theatre
Tue 23 Dec 2014 - 7:00 PM3 Early Bird - Price A 18.00 54.00 6 Early Bird Child Under 16 - Price A 15.00 90.00
Ticket Information Circle/A 35-30 (6) , Circle/B 33-31 (3)
DELIVERY METHOD AMOUNT Print At Home - E-Ticket(s) are attached to this order confirmation (You must be able to open and print a PDF file) 1.00
PAYMENTS TYPE # DATE AMOUNT Mastercard Sale ************7006 03-09-2014 13:00 145.00
Please keep this confirmation in a safe place.
THIS IS NOT YOUR TICKET
YOUR E-TICKET(S) ARE ATTACHED TO THIS EMAIL
Please call 0844 576 3000 if there are any errors in your order, if you have not received your tickets as expected, or if you have any questions.
![BH]()
BH Live Tickets
Exeter Road, Bournemouth, BH2 5BH
Tel: 0844 576 3000
bhlivetickets@bhlive.co.uk
http://www.bhlivetickets.co.uk
VAT Reg: 108 2248 37
TICKETS: 144.00 CHARGES: 1.00 TOTAL: 145.00 PAYMENTS RECEIVED: 145.00
The VirusTotal detection rate for this malware is just 3/55. Comodo CAMAS reports that this downloads an additional component from tiptrans.com.tr/333 which has a VirusTotal detection rate of 4/51.
According to ThreatExpert, This second component POSTs some information to 80.94.160.129:8080 (OVH, France) and also appears to contact 92.222.46.165 (National Academy Of Sciences Of Belarus).
Recommended blocklist: (updates in italics)
tiptrans.com.tr
plancomunicacion.net
92.222.46.165
80.94.160.129
Added: there is at least one other version of the malicious binary, for example this one. I have seen some reports that there are more.
UPDATE 2014-09-09:
A second spam run is in progress, essentially the same as the first one except some now have a subject in the form "Confirmation of E-Tickets Order Number 0088658".
There are two new binaries, well detected by anti-virus products with a VirusTotal score of 27/55 and 25/54.
In one case the binary downloaded an additional component from plancomunicacion.net/333 which has a detection rate of 25/54 and according to the ThreatExpert report has the same characteristics as before.
Also, the people operating BH Live have put a notice on their website.:
Concerns raised over emails purporting to be from BH Live Tickets
Published on 8 September 2014
Bournemouth, UK, 8 September – At approximately 7.30 this morning BH Live started to receive a high-volume of calls from members of the public in connection with an email purporting to come from BH Live Tickets. The email contains attachment(s) and hyperlinks relating to a booking for Peter Pan.
BH Live's Information Security teams together with information technology professionals and suppliers have investigated the matter and confirm that its internal systems have not been breached and that the emails were sent from known SPAM IP addresses. The emails are not genuine and do not originate from BH Live. A number of precautionary measures have been taken to ensure data, systems and networks continue to be protected.
The public is advised to delete these emails, to not open any attachments or links; ensure they are running the most up-to-date security products and that the operating system has been updated to the latest version. It is recommended that anyone receiving these emails update their passwords over the coming days.
BH Live continues to monitor the situation and is posting updates via websites and social media channels.
