NDR Bill pretending to come from Ebilling <Ebilling@westlothian.gov.uk> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Almost all of these have a password stealing component, with the aim of stealing your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your facebook and other social network log in details.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Note these do not come from Ebilling@westlothian.gov.uk or from any other local authority in UK. The last time we saw this type of attack, we saw emails pretending to come from a whole range of UK local authorities. Non domestic rates bills normally come out in February or March each year, so using this email template in September will or should raise alarm bells immediately. This particular email allegedly being sent by a Scottish Local Council should immediately alert a recipient in the rest of UK to being totally bogus
So far today we have seen 4 different versions of malware attached to this email template. They all have the same file name, but are different sizes and have subtly different behaviours. Don’t rely on your anti-virus to detect everything quickly. Use your eyes and common sense. Nobody in England should be getting an email from westlothian.gov.uk saying that they owe Non Domestic Rates and very few residents of West Lothian will still owe rates from earlier in the year. Just don’t open or try to open the attachment and delete the email as soon as it arrives.
Please find attached your Non Domestic Rates bill.
If your account is in credit you are due a refund unless you have any other debt due to the Council.
To allow your credit to be processed please confirm:
– If you want the credit transferred to another account you have with us. Please confirm the account details. – If you want the credit refunded by cheque, please confirm who it should be sent to and the address.
Links to Non Domestic Rates information are detailed below.
Important Note: If you access these links using a mobile phone the network provider may charge for this service.
Yours sincerely Scott Reid Revenues Manager
* PDF Viewer required.
This message, together with any attachments, is sent subject to thefollowing statements: 1. It is sent in confidence for the addressee only. It may contain legally privileged information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise the sender immediately.2. It does not constitute a representation which is legally binding on the Council or which is capable of constituting a contract and may not be founded upon in any proceedings following hereon unless specifically indicated otherwise. http://www.westlothian.gov.uk
3 September 2014: 00056468.pdf.zip ( 207 kb): Extracts to 00056468.pdf.exe Current Virus total detections: 3/55
This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.