Sep 302014
 

Delta Air Thank you for your order  being sent to bookings@uktservices.com and BCC copied  to you pretending to come from Delta Air <login@proche-hair.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.

All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.

Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.

The email looks like:

 Order Notification,

E-TICKET NUMBER / ET-98191471

SEAT / 79F/ZONE 1

DATE / TIME 2 OCTOBER, 2014, 11:15 PM

ARRIVING / Berlin

FORM OF PAYMENT / XXXXXX

TOTAL PRICE / 214.61 GBP

REF / OE.2368 ST / OK

BAG / 3PC

Your electronic ticket is attached to the letter as a scan document.

You can print your ticket.

Thank you for your attention.

Delta Air Lines.

 

30 September 2014: ET-17843879.zip: Extracts to:  DT-ET_5859799188.exe             Current Virus total detections: 4/55

2nd version 30 September 2014: ET-17843879.zip: Extracts to:  DT-ET_97701619116022_30.09.pdf.exe          Current Virus total detections: 4/55

This Delta Air Thank you for your order  is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper  Microsoft word .doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.

 Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets.

Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Most ( if not all) malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend,  you can easily see if it is a picture or document & not a malicious program. If you see .EXE or .COM or .PIF or .SCR at the end of the file name DO NOT click on it or try to open it, it will infect you.

While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.

 

Sep 292014
 

New Voicemail Message SUY-301  coming form random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into

Read More....
Sep 292014
 

Order statsus: Order confirmation: 9618161864 coming from random names at random companies is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. There are numerous slightly different versions of this email all with different names and phone numbers and companies and all saying basically the same. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the

Read More....
Sep 292014
 

Your Invoice from Complete Office Solutions pretending to come from donotreply@c-o-s.co.uk is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm

Read More....
Sep 292014
 

Remittance Advice !!! pretending to come from SITA UK < info@sita.co.uk > is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or

Read More....
Sep 262014
 

User Roles Waiting For Approval pretending to come from RBC Express <ISVAdmin@rbc.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm

Read More....
Sep 262014
 

Barclays Transaction not complete is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or

Read More....
Sep 262014
 
Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf- fake PDF malware

Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf  pretending to come from DocuSign System <dse@docusign.net> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are

Read More....
Sep 262014
 
Payment Details [Incident: 274427-168586] - fake PDF malware

Payment Details [Incident: 274427-168586] is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into blindly opening the attachment or

Read More....
Sep 262014
 
Amazon Account Confirmation - phishing

Account Confirmation pretending to come from Amazon.co.uk <auto-confirm@amazon.co.uk> is a phishing email designed to get your Amazon log in details and then your bank, credit card, address and personal details so they can imitate you and take over your accounts and clean you out email looks like Your Orders | Your Account | Amazon.co.uk $ Account Confirmation Account #951-75862333-175322 Hello , Thank you for shopping with us. We’d like to let you know that We need tvo confirm your account information, you must confirm your amazon account before we close it . Click the link below to confirm your account information using our secure server   If you want more information or need more assistance, go to Help. Thank you for shopping with us. Amazon.co.uk Unless otherwise noted, items sold by Amazon.co.uk LLC are subject to sales tax in select states in accordance with the applicable laws of that state. If your order contains one or more items from a seller other than Amazon.co.uk LLC, it may be subject to state and local sales tax, depending upon the seller’s business policies and the location of their operations. Learn more about tax and seller information. This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.            

Read More....
Sep 262014
 

Goods Despatched pretending to come from post@sparex.co.uk has a broken attachment that won’t unzip or extract. I am sure that when the bad guys discover this , they will soon send out a revised copy that  will turn out to be another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. There is a brief write up on https://techhelplist.com/index.php/spam-list/648-goods-despatched-virus  where he has kindly converted the broken file and made it work, so you can see what damage it would have done if the bad guys had sent it out properly. You are very lucky that they broke this one Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all

Read More....
Sep 252014
 

You have received a voice mail pretending to come from Microsoft Outlook [no-reply@Your domain]  is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice

Read More....
Sep 252014
 

BCA Banking 24.09.14 pretending to come from hallsaccounts <hallsaccounts@hallsgb.com> is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Almost all of these also have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person  or company  who have had their details spoofed and picked at random from a long list that the bad guys have previously found.  The bad guys choose companies, Government departments and organisations  with subjects that are designed to entice you or alarm you into

Read More....
Sep 252014
 

A major vulnerability in the Bash shell has been disclosed today. This vulnerability may impact many WordPress themes and plugins and other publishing platforms, web applications and web server platforms. Any shell execution or shell function that is performed by a web application, including the storage of request data in environment variables, may present an attack vector that allows the execution of arbitrary code. In plain english, that means that systems that have not updated their version of ‘bash’ and who provide web hosting in any form, whether it’s WordPress hosting or another platform like Joomla, may allow remote attackers to upload files, execute arbitrary commands, exfiltrate data, send spam email and more. The Redhat Security Blog has additional details. A GNU Bash patch is also available for experienced users and administrators to implement. Operating systems with updates include: CentOS Debian Redhat Ubuntu If you use cpanel and daily automatic updates are enabled then an update will automatically come down the pipe. If you don’t have automatic updates on your server enabled, then do a cpanel update immediately or at least do an update of server and system software from the cpanel/whm interface. For server admins without cpanel then most Linux OS have issued updates and a yum-checkupdate followed by yum-update should find ther new package and update your system. The latest

Read More....
Sep 242014
 
American Express - Security concern on Data breach at Home Depot - phishing

We are seeing quite a few American Express phishing attempts trying to get your American Express details. These are very well crafted and look identical to genuine American Express emails. The senders appear to be from American Express until you look carefully at the email headers.  Do not click any links in these emails. Hover your mouse over the links and you will see  a web address that isn’t American Express. Immediately delete the email and the safest way to make sure that it isn’t a genuine email from American Express is to type the American Express web address in your browser. and then log in to the account that way. Today’s version is the American Express – Security concern on Data breach at Home Depot which is a  change to previous versions to attempt to make it more believable and attractive for you to click the link & give your details. They are using the recent Home Depot hack and consequent fraudulent transactions that are being taken from many victims accounts to scare you into ignoring the usual precautions and get you to give them your details Email looks like Dear Customer:We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to

Read More....