Category: macro virus | My Online Security

trickbot via fake HSBC Payment Advice

Posted on 7 December 2018 12:43 pm by Myonlinesecurity8 December 2018 6:23 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Advice Ref: 2 / Customer Ref: P” pretends to come from HSBC but actually comes from “DoNotReply@pa-hsbc.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using XLS Excel spreadsheet files. It looks like there might be some changes to the Trickbot modules & binaries today. We haven’t seen any Trickbot targeting … Continue reading →

More Fake DHL invoices delivering Remcos RAT via office XML files

Posted on 30 November 2018 6:10 am by Myonlinesecurity30 November 2018 6:10 am

An old favourite lure with this email with the subject of “DHL Shipping of Original invoice B/L dated 26/10/2018” pretending to come from DHL EXPRESS – < noreply@dhl.com > with a malicious word doc attachment delivers Remcos RAT The idea of Fake DHL invoices or delivery notes is nothing new. What is different about this campaign is the way the criminals are using non standard Office XML files with base 64 encoded sections containing the macros instead of proper office ( word) docs. These still open in Microsoft Office and will run. They still open in Protected view mode, so … Continue reading →

Fake Amazon Cyber Monday coupon delivers Emotet

Posted on 29 November 2018 1:57 pm by Myonlinesecurity29 November 2018 1:57 pm

I don’t normally post much about Emotet here for a few reasons. I don’t see much sent to me in UK, although it is prolific. The emails are generally so generic and are fake invoices or orders, with nothing particularly interesting or alerting to warn about. They either attach macro enabled word docs or as in this case are using links in emails to dozens or even hundreds of compromised sites to deliver malicious word docs. Each word doc is individually generated and the file hash either changes on each visit to the compromised site or changes every few minutes. … Continue reading →

trickbot via fake BACs Transaction Report – Important Information!

Posted on 22 November 2018 2:52 pm by Myonlinesecurity22 November 2018 2:52 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” BACs Transaction Report – Important Information! ” Pretends to come from The Bacs service but is actually coming from “bacs.report@bacs-reports.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have either a malicious office file attachment or link to download the malicious office doc or XLS file from a remote website. The BACS service has not been hacked or had … Continue reading →

trickbot via fake Danske Bank Transaction Report – Important Information!

Posted on 21 November 2018 6:18 pm by Myonlinesecurity21 November 2018 6:18 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” Transaction Report – Important Information! ” pretends to come from Danske Bank but actually comes from “danske.bank@danskebankcom.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. today again they are using XLS Excel Spreadsheet files Danske Bankhas not been hacked or had their email or other servers compromised. They are not sending the emails to … Continue reading →

trickbot via Fake ADP Notification – Transaction Report

Posted on 20 November 2018 7:56 pm by Myonlinesecurity20 November 2018 7:56 pm 2

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “ADP Notification – Transaction Report” pretends to come from ADP Automatic Data Processing, Inc but actually comes from “donotreply@adp-report.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment.Today again they are using XLS Excel spreadsheet files. This is the 3rd Trickbot campaign on Tuesday 20th November 2018. This one targets USA / Canada. I received numerous … Continue reading →

trickbot via Fake NatWest BankLine Support “FW: Recent Activity “

Posted on 20 November 2018 12:29 pm by Myonlinesecurity20 November 2018 12:29 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: Recent Activity ” pretends to come from Lorna Davis at NatWest Bankline but actually comes from “donotreply@bankline-reports.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment Today again they are using XLS ( Excel Spreadsheet) files. NatWest Bankline has not been hacked or had their email or other servers compromised. They are not sending the … Continue reading →

Trickbot via fake Bank of America Merrill Lync “FW: Updated Account Transactions “

Posted on 20 November 2018 6:07 am by Myonlinesecurity20 November 2018 6:07 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: Updated Account Transactions ” pretends to come from somebody named Michael L. Lucia at Bank of America Merrill Lync but actually comes from “michael.lucia@secmail-bofa.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment, this one has an XLS (Excel Spreadsheet) file attachment. Bank of America Merrill Lync has not been hacked or had their email or … Continue reading →

Trickbot via Fake HMRC Important : Outstanding Amount – You Owe £11,612.91

Posted on 19 November 2018 12:49 pm by Myonlinesecurity19 November 2018 12:49 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email saying you owe £11,612.91 with the subject of “Important : Outstanding Amount” pretends to come from HMRC but actually comes from “donotreply@hmrc-payert-gov.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment, today they are using macro enabled XLS excel spreadsheets. HMRC has not been hacked or had their email or other servers compromised. They are not sending the emails to … Continue reading →

trickbot via fake Lloyds Bank “Important : please review attached document(s) “

Posted on 16 November 2018 12:30 pm by Myonlinesecurity17 November 2018 7:04 am 6

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Important : please review attached document(s) ” pretends to come from Lloyds Bank but actually comes from “donotreply@lloydsbankdocs.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have either a malicious office file attachment Lloyds Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims … Continue reading →

My Online Security

Keep yourself safe online

Category Archives: macro virus