Sep 192014
 

TNT UK Limited Package tracking  pretending to come from TNT COURIER SERVICE <tracking@tnt.co.uk> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

The email looks like:

TNT COURIER SERVICE (TCS)

Customer/Delivery Services Department

Central Pk Est/Mosley Rd, Trafford Park

Manchester, M17 1TT UK.

DETAILS OF PACKAGE

Reg order no: 460911612900

Your package have been picked up and is ready for dispatch.

Connote #           :               460911612900

Service Type      :               Export Non Documents – Intl

Shipped on         :               18 Sep 14 12:00

Order No                    :       4240629

Status          :       Driver’s Return

Description     :      Wrong Address

Service Options: You are required to select a service option below.

The options, together with their associated conditions.

Please check attachment to view information about the sender and package.

 

19 September 2014: Label_GB1909201488725UK_pdf.zip : Extracts to:  Label_GB1909201488725UK_pdf.exe             Current Virus total detections: 5/55

This TNT UK Limited Package tracking is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

 Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see .EXE or .COM or .PIF or .SCR at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

 

Sep 192014
 

City of London Police Homicide Suspect  pretending to come from City of London Police is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice

Read More....
Sep 192014
 
NatWest Statement - fake PDF malware

NatWest Statement pretending to come from NatWest.co.uk < noreply@natwest.com >  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you

Read More....
Sep 192014
 

In exactly the same way as yesterday’s Don Kelly dkmaxconstruction.com max invoice 018 PDF we are receiving hundreds of emails with a subject of TP E-Billing for Sep 19 Seq No 0018 (0208ALD837) Region 001 pretending to come from ebilling@travisperkins.co.uk

So far all copies are corrupt and only display as plain text with a text starting

Read More....

eFax Report fake PDF malware

 Last updated by on 18 September 2014 at 3:24 pm  EXE-in-ZIP, Malware, Spam and phishing, Zbot  No Responses »
Sep 182014
 

eFax Report pretending to come from eFax Report <noreply@efax-reports.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly

Read More....
Sep 182014
 
Nat West Important - New account invoice  - fake PDF malware

Nat West Important – New account invoice pretending to come from NatWest Invoice <invoice@natwest.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice

Read More....
Sep 182014
 

Your transaction is completed pretending to be from NatWest <reports@nwolb.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you

Read More....
Sep 182014
 

Hundreds of  emails are being received with a subject of max invoice 018 PDF pretending to come from Don Kelly <don@dkmaxconstruction.com> So far all copies are corrupt and only display as plain text with a text starting –Apple-Mail-D98E8E62-14AF-4694-8DB2-BAB93A632D99 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit   –Apple-Mail-D98E8E62-14AF-4694-8DB2-BAB93A632D99 Content-Type: application/zip; name=”max invoice 019.zip” Content-Disposition: attachment; filename=”max invoice 019.zip” Content-Transfer-Encoding: base64   It looks like the bad guys have made a mistake in sending these emails so hopefully the majority of users will be protected ( for now) However on previous experience, they will soon correct it & send them out again They will turn out to be  another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in

Read More....
Sep 182014
 
Delta Airlines e-tickets Thank you for your order -fake word doc malware

Delta Airlines e-tickets Thank you for your order pretending to come from Delta Air Lines < random name @random company >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with

Read More....

ADP Invoice – PDF malware

 Last updated by on 17 September 2014 at 6:33 pm  Adobe, Adobe reader, Malware, PDF, Spam and phishing, Zbot  1 Response »
Sep 172014
 
ADP Invoice -  PDF malware

ADP Invoice pretending to come from billing.address.updates@adp.com is another one from the current bot runs
They are attaching what appears to be a genuine pdf file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit and hopefully the most recent one will be safe ( but I won’t guarantee that ) As far as I can tell they are using an exploit from 2013 that was fixed Adobe Security Bulletin Make sure you are using a version of Adobe reader that has been declared free form this vulnerability. Please read my previous post on infected malformed PDF attachments to emails.

This week there has been an update to Adobe reader which fixes new vulnerabilities. I don’t know yet whether these malicious PDF files are exploiting that set of new vulnerabilities or just carrying on with the older ones.

Read More....
Sep 172014
 
The Furniture Market TFM Confirmation - Order R12003585  PDF malware

The Furniture Market TFM Confirmation – Order R12003585 pretending to come from Marc – The Furniture Market is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer
All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

The Furniture Market is a genuine UK company, but they are not sending these emails. Their systems haven’t been hacked or compromised. They are just the most recent in a long line of innocemnt companies who have been chosen at random to be as much of a victim as the recipient of the malware laden email.

They are attaching what appears to be a genuine pdf file, that is malformed and has a script virus embedded. It depends on which version of Adobe reader you use, but older ones are definitely vulnerable to this exploit and hopefully the most recent one will be safe ( but I won’t guarantee that ) As far as I can tell they are using an exploit from 2013 that was fixed Adobe Security Bulletin Make sure you are using a version of Adobe reader that has been declared free form this vulnerability. Please read my previous post on infected malformed PDF attachments to emails.

This week there has been an update to Adobe reader which fixes new vulnerabilities. I don’t know yet whether these malicious PDF files are exploiting that set of new vulnerabilities or just carrying on with the older ones.

Read More....
Sep 172014
 

Strabane Weekly News INV0071981 – Newspaper copy is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment.

Read More....
Sep 172014
 
UKFast invoice - fake PDF malware

UKFast invoice pretending to come from UKFast Accounts is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

UKFast is a genuine UK hosting company. They are not sending these emails . Their systems or email show no signs of being hacked or compromised. UKFast are just the latest in the long line of companies that have been picked on at random by the bad guys.

The subject line and the to: lines on these emails are blank

Read More....
Sep 162014
 

Australian Taxation Office – Refund Notification pretending to come from Australian Taxation Office <noreply@ato.gov.au> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you

Read More....

security updates for Adobe Acrobat and Reader

 Last updated by on 16 September 2014 at 6:46 pm  Adobe, Adobe reader, PDF  No Responses »
Sep 162014
 

Security updates for Adobe Acrobat and Reader have just been released addressing eight vulnerabilities in both the Windows and Mac versions. The affected versions are Reader and Acrobat X 10.1.11 and earlier and Reader and Acrobat XI 11.0.08 for Windows and Mac.

The updates were originally scheduled to be released a week ago, but were delayed due to problems in testing.

The new versions are Reader and Acrobat X 10.1.12 and Reader and Acrobat XI 11.0.09 for Windows and Mac. Individual users may apply the updates using the “Check for Updates” option on the Help menu.

Read More....