This example is an email alleging to be a customer complaint with the subject of “FW: Case 27627831 ” pretending to come from Dun & Bradstreet but actually coming from “firstname.lastname@example.org” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan targeting the USA
You can now submit suspicious sites, emails and files via our Submissions system
From: Dun & Bradstreet <email@example.com>
Date: Thu 26/07/2018 17:57
Subject: FW: Case 27627831
Dun & Bradstreet has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer’s concern are included on the reverse. Please review this matter and advise us of your position.
In the interest of time and good customer relations, please provide the DnB with written verification of your position in this matter by July 27, 2018 Your prompt response will allow DnB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter.
The Dun & Bradstreet develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Dun and BradStreet. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company.
We encourage you to print this complaint (attached file), answer the questions and respond to us.
We look forward to your prompt attention to this matter.
Dun & Bradstreet
103 JFK Parkway
To ensure delivery of Dun & Bradstreet Credibility Corp. emails to your inbox and to enable images to load in future mailings, please add firstname.lastname@example.org to your email address book or safe senders list.
© 2018 Dun & Bradstreet Credibility Corp.Dun & Bradstreet Credibility Corp. 103 JFK Parkway, Short Hills, NJ 07078
Dun & Bradstreet has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there is only newly registered domain that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way, that are hosted on & sending emails from 4 different servers.. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domain is, as usual, registered via Godaddy as registrar. Because of new GDPR rules we cannot easily find the registrants name or any further details.
- dnbcomplaint.com hosted on & sending emails via 126.96.36.199| 188.8.131.52 |184.108.40.206| 220.127.116.11|
Continuing with the behaviour we have been seeing recently with the macros on these word docs. They are using an Active X control to start & run the macro, so it needs an extra couple of clicks from the victim to get infected. The control is different today. I can’t work out exactly what control is being used. You actually have to enable ActiveX content then close the word doc & re-open it for the macro to fire off while using anyrun. I am not sure if this is the same behaviour in a real computer or only in the VM.
The alternate Download location is http://watchlifematters.com/mov.ie
The folder for the files & configs is: C:\Users\[User]\AppData\Roaming\msdesk
In the same way as today’s earlier Trickbot campaign targeting the UK spoofing HSBC we see both of the compromised websites being used to distribute the Trickbot binary are on the same server 18.104.22.168 Namecheap, so that possibly indicates a compromise on the server rather than individual sites being compromised. So that is 4 different sites on the same server compromised today.
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.
Email from: email@example.com