Mailchimp abuse &malware spreading continues again today. a slight change in behaviour today with 2 distinctly different email versions and several different sites involved. Today’s fake invoices appear to be using the compromised account belonging to Entrust Insurance Services but the criminals have also registered a fake domain totalinvocies.co.uk which was registered today 12 March 2018 via Godaddy using privacy protection to somehow try to fool Mailchimp and send the emails on behalf of totalinvocies.co.uk
Update: now Mandrill involved
Update2: Bespoke insurance statement on their compromised Mailchimp account
There are several slightly different subjects and senders:
- Invoice Support <email@example.com>; on behalf of; Invoice Support <firstname.lastname@example.org> Invoice and Statement March 2018
- Invoice Support <email@example.com>; on behalf of; Invoice Support <firstname.lastname@example.org> Invoice March 2018
- Invoice <email@example.com>; on behalf of; Invoice <firstname.lastname@example.org> Alert! New Notification!
We still have no idea how the victim companies’ details or login credentials to the mailchimp network are being stolen or compromised.
inv$statem312.zip contains a lnk file ( VirusTotal) (Hybrid Analysis) that downloads the Gootkit banking trojan from http://yeoldeinn.co.uk/yuIuytsvvc.exe using bits admin ( VirusTotal) ( Hybrid Analysis)
Version 1 looks like this: The link goes to Mailchimp but was taken down before I got round to investigating
Version 2 looks like this one. I have received 2 different versions with different links
https://www.k9therapy.co.uk/Account statement and invoice March.zip ( 404 down)
http://www.rayli.co.uk/inv$statem312.zip ( active) uses subject of Alert! New Notification!
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
|22.214.171.124||mail15.sea31.mcsv.net||Atlanta||Georgia||US||AS14782 The Rocket Science Group, LLC|
|126.96.36.199||mail67.atl71.mcdlv.net||Atlanta||Georgia||US||AS14782 The Rocket Science Group, LLC|
|188.8.131.52||mail2.atl11.rsgsv.net||Atlanta||Georgia||US||AS14782 The Rocket Science Group, LLC|
Received: from mail2.atl11.rsgsv.net ([184.108.40.206]:59830)
by knight.knighthosting.co.uk with esmtp (Exim 4.89_1)
for help@redacted; Mon, 12 Mar 2018 10:20:49 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; d=mail2.atl11.rsgsv.net;
Received: from (127.0.0.1) by mail2.atl11.rsgsv.net id hkpa842akec4 for <help@redacted>; Mon, 12 Mar 2018 10:20:37 +0000 (envelope-from <email@example.com>)
From: =?utf-8?Q?Invoice=20Support?= <firstname.lastname@example.org>
Reply-To: =?utf-8?Q?Invoice=20Support?= <email@example.com>
Date: Mon, 12 Mar 2018 10:20:37 +0000
X-Mailer: MailChimp Mailer – **CID57272b03ff68a4913597**
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.phtml?u=d90cc8929e27b53bec604d26d&id=57272b03ff&e=68a4913597
List-ID: d90cc8929e27b53bec604d26dmc list <d90cc8929e27b53bec604d26d.455401.list-id.mcsv.net>
List-Unsubscribe: <https://entrust-insurance.us2.list-manage.com/unsubscribe?u=d90cc8929e27b53bec604d26d&id=be4c7e289b&e=68a4913597&c=57272b03ff>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
Sender: “Invoice Support” <email@example.com>
Content-Type: multipart/alternative; boundary=”_———-=_MCPart_878134487″
Update: Something quite strange going on with this malware campaign. It was reported to Mailchimp in the same way that all previous campaigns have been. I think the compromised user is still compromised or something quite weird is going on with Mailchimp. I received this “sorry to see you go email overnight, with a link to subscribe. ( the link doesn’t work and leads to a “This list is currently unavailable. Please try again later.” message.
What is most concerning is that somebody ( I assume the criminals controlling the account) was still able to send anything from the Mailchimp account which is supposed to be suspended completely. Why the “North Hampshire Chamber of Commerce” Email bits with the total invoces and entrust-insurance details. Somebody at Mailchimp has slipped up with this one.
|220.127.116.11||mail4.mcsignup.com||Atlanta||Georgia||US||AS14782 The Rocket Science Group, LLC|
Received: from mail4.mcsignup.com ([18.104.22.168]:31862)
by knight.knighthosting.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
for firstname.lastname@example.org; Tue, 13 Mar 2018 03:07:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=mandrill; d=mail4.mcsignup.com;
Received: from pmta08.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail4.mcsignup.com id hkt05k1jvmg2 for <email@example.com>; Tue, 13 Mar 2018 03:07:05 +0000 (envelope-from <firstname.lastname@example.org>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
email@example.com; q=dns/txt; s=mandrill; t=1520910425; h=From :
Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type
: From : Subject : Date : X-Mandrill-User : List-Unsubscribe;
From: =?utf-8?Q?Invoice=20Support?= <firstname.lastname@example.org>
Sender: =?utf-8?Q?Invoice=20Support?= <email@example.com>
Subject: North Hampshire Chamber of Commerce: You are now unsubscribed
X-Auto-Response-Suppress: OOF, AutoReply
To: “=?utf-8?Q?help=40victimsdomain.com?=” <firstname.lastname@example.org>
X-Report-Abuse: Please forward a copy of this message, including all headers, to email@example.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=9656357.4dc96cb412634f07b29d85910202f34d
Date: Tue, 13 Mar 2018 03:07:05 +0000
Content-Type: multipart/alternative; boundary=”_av-tEXfjE4jRFYZF0JlujF6RQ”
Update2: Bespoke insurance posted on their website about the compromise of Entrust insurance Mailchimp Account. ( Entrust is a trading name and website that was used by Bespoke Insurance.) According to the post, as a direct result of their Mailchimp account being compromised, they have now closed down the Entrust website and associated IT system.
The post on the Bespoke insurance page has now been taken down, but a copy was discovered on Google cache
These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about £350/$400) to recover the files.All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
This is another one of the files that unless you have “show known file extensions enabled“, can easily be mistaken for a genuine DOC / PDF / JPG or other common file instead of the .EXE / .JS file it really is, so making it much more likely for you to accidentally open it and be infected.
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.
If you see JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.