An email with the subject of New BT Online bill pretending to come from BT but actually coming from a different domain email@example.com that can very easily be mistaken for a genuine BT email address is today’s latest spoof of a well-known company, bank or public authority delivering Dridex banking Trojan
Update 18 September 2017: a new run of this using BT Business <firstname.lastname@example.org> as sending email address.
They are using email addresses and subjects that will scare, persuade or entice you to read the email and open the attachment.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
BT has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
What has happened is that the criminals sending these have registered various domains that look like genuine Company, Bank, Government or message sending services. Normally there are between 2 and 4 newly registered domains that imitate Companies House, HMRC, another Government department, a Bank or a message sending service that can easily be confused with the genuine organisation in some way. Some days however we do see dozens or even hundreds of fake domains.
Today’s example of the spoofed domains are, as usual, registered via eranet.com as registrar. This was registered on 13 September 2017 by the criminals
- bt-europe.com hosted on 126.96.36.199 OVH
This particular email was sent from IP 188.8.131.52 but a quick look up of the domain details show that these criminals have also set a whole range of IP addresses to be able to send these emails and pass authentication checks
Update:18 September 2017. New sending domain btsgl.com 184.108.40.206 still hosted by OVH. Emails sent from these IP numbers:
The email looks like:
Date: Wed 13/09/2017 10:55
Subject: New BT Online bill
New BT Online Bill
Your bill amount is: £247.33. This doesn’t include any amounts brought forward from any other bills.
We’ve put your latest BT bill online for you to view. See your bill here.
The PDF version of your bill might not be available for download yet. It can take up to 48 hours.
We’ll take your payment from your account as usual by Direct Debit.
Reduce paper waste
You’re still getting paper bills by post. Why not go paper-free, and stop storing and shredding them once and for all?
When you log in to your account, you can also see your recent usage, call costs and bills.
Get more from our App
Did you know you can view and pay your bills and manage your orders via the BT Business app?
Need some help?
Go to www.bt.com/business/help.
Thanks for choosing BT.
Your BT Team
British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ.
Registered in England No. 1800000.
This email contains BT information, which may be privileged or confidential. It’s meant only for the individual(s) or entity named above. If you’re not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you’ve received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails.
The link in the mail goes to a compromised or fraudulently set up SharePoint AKA onedrive for business address: https://nemjoncomau-my.sharepoint.com/personal/jack_may_nemjon_com_au/_layouts/15/guestaccess.aspx?docid=0298ca8f1919748eb8cdba1a198dc85ae&authkey=AW_xv3CYvv3OMg0wmskh0Nw which downloads the zip file containing the .js file that eventually delivers Dridex
YourBTbill_13092017.zip extracts to YourBTbill_13092017.js Current Virus total detections: Payload Security This downloads from http://220.127.116.11/img/style.png which of course is not a png ( image file) but a renamed .exe, that is renamed by the script to RUG8qnFp.exe ( VirusTotal)
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware. Also please read our post about word macro malware and how to avoid being infected by them