An email with the subject of Your latest BT OneBill is available now pretending to come from BT but actually coming from a different domain email@example.com that can just about be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan
They are using email addresses and subjects that will scare, persuade or entice you to read the email and open the attachment.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
BT has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domains are, as usual, registered via eranet.com as registrar. This was registered on 29 August 2017 by the criminals
btdnet.com hosted on 18.104.22.168 OVH
This particular email was sent from IP 22.214.171.124 but a quick look up of the domain details show that these criminals have also set a whole range of IP addresses to be able to send these emails and pass authentication checks
The email looks like:
From: firstname.lastname@example.org <email@example.com>
Date: Wed 30/08/2017 14:56
Subject: Your latest BT OneBill is available now
BT.com username: jenny@[redacted].co.uk
Your latest BT OneBill is ready to download from here
The benefits of which are:
• Access to your OneBill data online 24/7
• Data available online for 15 months
• More than one person can have access
• Online Help & Support
• You can import and analyse using BT Billing Analyst
Your PDF / Media file should be available to view or download in 24 hours.
If you try to do this sooner, you may encounter an error message.
There is no need to contact us unless the 24 hours from the time
of this notification has elapsed.
Dylan Holtberg, CEO, BT Business
Help & support Forgotten Log in details Contact us Forums
The link in the mail goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address: https://mccabelawyers-my.sharepoint.com/personal/g_macneill_swslawyers_com_au/_layouts/15/guestaccess.aspx?docid=0cc833a8ff3b4411a986bfb04282f2ffb&authkey=AVpD74OXseK7zr4gaxr_UBE which downloads the zip file containing the .js file that eventually delivers Dridex
BT OneBill.zip extracts to BT OneBill.js Current Virus total detections: Payload Security This downloads Dridex banking Trojan but I am unable to determine the actual download site ( VirusTotal)
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them