This example is an email containing the subject of ” Important secure information about your NatWest account” pretending to come from NatWest but actually coming from a look-a-like or typo-squatted domain firstname.lastname@example.org or email@example.com with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan
You can now submit suspicious sites, emails and files via our Submissions system
From: NatWest <firstname.lastname@example.org>
or from: NatWest <email@example.com>
Date: Wed 28/03/2018 11:26
Subject: Important secure information about your NatWest account
If this email is not displayed correctly, please click here.
Click here to add this email to your safe list
Please refer to the Security section in the footer of this email for information about this.
From: Rowney, Sinead (Current Account)
To read the email, download the encrypted secure document and enter your password when requested. You will need Microsoft Office or any Doc readers to view your secure message.
You have received a new secure message:
We will never ask you for your full PIN and Password
To read your secure message , follow the instructions below.
1. Download SecureMessage.doc attachment( typically at the top or bottom; location varies by email service).
2. Your document password is: N82E1682023NSM.
3. Enter your password when prompted.
The secure message expires on March 02, 2017 @ 09:21 AM (GMT)
We’re here to help
For further information about the scheme (including amounts covered and eligibility to claim) please ask at your local branch, refer to the FSCS website www.fscs.org.uk or call 0800 678 1100.
About this email
Please do not reply to this email, the address this email was sent from is not monitored. If you need to speak to us about this email, please refer to the Contact Us section of our website.
This email is only intended for the above addressee. If you are sure you are not the intended recipient of this email and have received it in error, please delete the email.
We take your security seriously and are always looking for ways to improve this. We have started to use the second half of your postcode as an additional security feature on our emails. This easily recognisable piece of information is an additional way to help you identify that this email is likely to be from us. However, you should still treat all emails that appear to be from us with caution and continue to follow the existing email security advice below and at natwest.com/security
If emails do not contain partial postcode please treat them with your usual caution. Emails may not contain partial postcode if you have not provided this information to us or if you have recently changed address. If so, please contact your branch to update your address. If you suspect it is a phishing email please forward it to firstname.lastname@example.org
Many internet users have recently been targeted through bogus emails by fraudsters claiming to be from the Bank. These emails ask customers to provide personal details or Banking Security Information in order to reactivate an account or verify an email address. Please be on your guard against emails that request any of your security details. If you receive an email like this you should not respond. Please remember that, for security reasons, apart from when you create them at registration or when you change your Internet PIN or Password we will only ever ask you to enter random characters from your Internet PIN and Password when you log on to this service. We would never ask you by email to enter (or record) these details and we would therefore request that you do not respond to email asking for this information. If you think an email that appears to be from us is actually a phishing email, please forward it to email@example.com
For further information about this and Internet Security in general, please refer to natwest.com/security
This email message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please delete it from your computer. National Westminster Bank Plc does not accept responsibility for changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by National Westminster Bank Plc in this regard and the recipient should carry out such virus and other checks as it considers appropriate.
National Westminster Bank Plc, Registered in England No. 929027. Registered Office: 135 Bishopsgate, London EC2M 3UR.
We are authorised and regulated by the Financial Services Authority. Except for Consumer Credit where we are licensed by The Office of Fair Trading.
NatWest has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank, file hosting service or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domains are, as usual, registered via Godaddy as registrar using privacy protection services.
- natwestmessage.com 18.104.22.168 AS49981 WorldStream B.V. | 22.214.171.124 AS60117 Host Sailor Ltd.
- natwest-message.com 126.96.36.199 AS60117 Host Sailor Ltd | 188.8.131.52 AS62370 Snel.com B.V.
As usual you don’t need the password / passcode inserted in the email body. just opening the word doc and enabling macros will download the Trickbot banking trojan
This malware docx file downloads from http://m-tensou.net/svoren.png which of course is not an image file but a renamed .exe file that gets renamed again ( VirusTotal)
An alternate download location is: http://interbanx.co.id/svoren.png
All modern versions of word and other office programs, that is 2010, 2013, 2016 and 365, should open all Microsoft office documents that is Word docs, Excel spreadsheet files and PowerPoint etc that are downloaded from the web or received in an email automatically in “protected view” that stops any embedded malware, macros and DDE “exploit /Feature” and embedded ole objects from being displayed and running. Make sure protected view is set in all office programs to protect you and your company from these sorts of attacks and do not over ride it to edit the document. If the protected mode bar appears when opening the document DO NOT follow the advice they give to enable macros or enable editing to see the content. The document will have a warning message, but you will be safe.
Be aware that there are a lot of other dodgy word docs spreading that WILL infect you with no action from you, if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version.
The risks in using older version are now seriously outweighing the convenience, benefits and cost of keeping an old version going.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them
I strongly urge you to update your office software to the latest version and stop putting yourself at risk, using old out of date software.