FYI...Fake Invoice SPAM
- malicious attachment ...
27 Aug 2014 - "This -fake- invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious
. From: Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date: 27 August 2014 10:43
Subject: Tax Invoice for Delivery Note 11155 dated 22.08.14
Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.
Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine ...
Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a -hacked- machine in India
. The attachment has a VirusTotal detection rate of 5/54*. My PDF.. isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious."
___Malvertising: Not all Java from java .com is legit
Aug 27, 2014 - "... getting a Java exploit via java .com, the primary source for one of the most common used browser plugins? Current malvertising campaigns
are able to do this... real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware... Malvertising has changed over the years starting with exploitation of weak advertisement management panels... evolved into pretending to be a legit third party advertiser with social engineering. The current malvertising techniques are quite deceptive and most of the times only noticeable at the client side
... It can be a malicious advertiser 3 layers down in the chain but it can also be on the 1st level... observed multiple high-profile websites -redirecting- their visitors to malware... These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware. While monitoring network traffic to and from workstations we observed a higher than usual amount of infections. When investigating these incidents in depth we noticed that they were infected with advertisements served via high-profile websites... the following websites were observed redirecting and/or serving malicious advertisements to their visitors:
The advertisement in this case included the Angler exploit kit
. Upon landing on this exploit kit a few checks were done to confirm whether the user is running a vulnerable version of either Java, Flash or Silverlight. If the user was deemed vulnerable the exploit kit would embed an exploit initiating a download of a malicious payload
, in this campaign it was the Asprox malware
. This whole process of malvertising towards an exploit kit is also visualized in the image at the top of this post. Please note, a visitor does -not- need to -click- on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser... ... 3 IP’s having been associated with these domains: 126.96.36.199
: https://www.virustotal.com/en/ip-address/188.8.131.52/information/ 184.108.40.206
: https://www.virustotal.com/en/ip-address/220.127.116.11/information/ 18.104.22.168
There is no silver bullet to protect yourself from malvertising. At a minimum:
- Enable click-to-play in your browser. This prevents 3rd party plugins from executing automatically.
- Keep all plugins running in the browser up-to-date using tools like Secunia PSI.
- Consider turning off unneeded plugins if you don’t use them. For example, Java can be installed without the web-plugin component lowering the risk of exploitation and infection..."(More detail at the fox-it URL above.)
___"Customer Statements" - malware SPAM
27 Aug 2014 - "This brief spam has a malicious PDF attachment
: Fom: Accounts [hiqfrancistown910@ gmail .com]
Date: 27 August 2014 09:51
Subject: Customer Statements
Good morning,attached is your statement.
Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55*. Analysis is pending."
___Royal Bank of Canada Payment Spam
Aug 27, 2014 - "Subjects Seen: The Bank INTERAC to Leo Dooley was accepted.
Typical e-mail details: The INTERAC Bank payment $19063.01 (CAD) that you sent to Leo Dooley, was accepted.
The transfer is now complete.
Message recipient: The rating was not provided.
See details in the attached report.
Thank you for using the Service INTERAC Bank RBC Royal Bank. Malicious File Name and MD5:
Tagged: RBC, Upatre
___AT&T DocuSign Spam
Aug 27, 2014 - "Subjects Seen: Please DocuSign this document: Contract_changes_08_27_2014 .pdf
Typical e-mail details: Hello,
AT&T Contract Changes has sent you a new DocuSign document to view and sign. Please click on the ‘View Documents’ link below to begin signing. Malicious URLs:
Malicious File Name and MD5:
Tagged: ATT, DocuSigin, Upatre
27 Aug 2014
___ADP Past Due Invoice Spam
Aug 27, 2014 - "Subjects Seen: ADP Past Due Invoice
Typical e-mail details: Your ADP past due invoice is ready for your review at ADP Online Invoice Management .
If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here... Malicious URLs:
Malicious File Name and MD5:
Tagged: ADP, Upatre
___Fake Payment Advice SPAM - PDF malware
27 Aug 2014 - "'Payment Advice Note from 27.08.2014' is another one from the current zbot runs
which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads: Disclaimer:
This e-mail is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not represent those of AL-KO KOBER Limited. It may also contain information, which may be privileged and confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return or destroy the original message.
AL-KO KOBER Limited is Registered in England at Companies Registration Office Cardiff with Company number: 492005. AL-KO KOBER Limited, South Warwickshire Business Park, Kineton Road, Southam, Warwickshire, CV47 0AL.
Cell 270 547-9194
27 August 2014: Payment_Advice_Note_27.08.2014.PDF.zip (48 kb)
Extracts to Payment_Advice_Note_27.08.2014.PDF.scr
Current Virus total detections: 0/55* . This Payment Advice Note from 27.08.2014 is another one of the spoofed icon files
that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."