Tag: ISFB | My Online Security

Fake Xmas Bonus Payslip delivers Ursnif – Gozi

Posted on 17 December 2018 12:05 pm by Myonlinesecurity17 December 2018 12:05 pm

We are still seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK again this week. Today we are seeing an Xmas Payslip theme The subjects vary slightly but include Wages December, Salary Payslip, Christmas Payslip, Chrithmas Payslip or similar These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using the IP range of 91.222.237.* This appears to be a server based in London but controlled by a Russian Entity, AS202423 PE Viktor Tyurin. All the email addresses pass authentication and the majority of the sending domains have been registered for … Continue reading →

Urgent to all residents of the building email delivers Ursnif

Posted on 11 December 2018 11:23 am by Myonlinesecurity14 December 2018 10:55 am 1

We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. Earlier we saw a Brexit theme and now we are seeing emergency exit notices. The subject this time is consistent in all versions “Urgent to all residents of the building”. The name in the body of the email matches the alleged sender & is different in each version. These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using the IP range of 193.233.30.* This appears to be a server based in Russia, mgnhost.ru AS202423 PE … Continue reading →

Large Ursnif campaign hitting UK using Brexit as lure

Posted on 11 December 2018 9:01 am by Myonlinesecurity11 December 2018 9:01 am 1

We are seeing a fairly large Ursnif /Gozi /ISFB campaign hitting the UK since Yesterday. The criminals are using the theme of Brexit which is very topical in UK ( and the rest of Europe) at the moment. There are numerous subjects all with Brexit somewhere in the subject line and there is a link to a google docs page that downloads the malware file. Some subjects I have seen include: Brexit 2019 Brexit 29/03/2019 Brexit 29-03-2019 Brexit | 29-03-2019 Brexit Barometer Brexit These are coming from dozens ( or even hundreds) of different email addresses and IP addresses all from 1 hosting company using … Continue reading →

Ursnif campaign hitting UK imitating well known companies

Posted on 7 December 2018 7:15 am by Myonlinesecurity7 December 2018 7:15 am

We are seeing an Ursnif /Gozi /ISFB campaign hitting the UK since yesterday. I was first alerted by this Twitter post. I started to investigate quickly last night and several much better researchers and analysts have taken over and found much more details. I posted some basic details in THIS Tweet. Then the main analysis appears via THIS. Whichever bad actor is running this campaign is using extremely good social engineering tricks to imitate multiple well known companies to persuade the recipient to follow the links and get infected. Anyway back to this morning and Ursnif /Gozi /ISFB continues to … Continue reading →

Fake Invoice INV-4571 from Platelayers Limited delivers Gozi-Ursnif

Posted on 19 April 2018 7:09 pm by Myonlinesecurity19 April 2018 7:09 pm

An email with the subject of Invoice INV-4571 from Platelayers Limited pretending to come from Platelayers Limited < messaging-service@subbx.net > with a link to download a malicious word doc which delivers Gozi/Ursnif/ ISFB banking trojan In other similar malware delivery attempts in the past, the criminals sending these imitated or spoofed dozens if not hundreds of different companies in the emails. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than … Continue reading →

Mailchimp malware continues. Today delivering Ursnif /gozi banking trojan

Posted on 4 April 2018 2:40 pm by Myonlinesecurity4 April 2018 2:40 pm

After a short break we are seeing Mailchimp abuse & attempted malware spreading again today. The next in the never ending series of compromised or fraudulently set up Mailchimp accounts spreading malware is hitting the UK again today Please read this post explaining the Mailchimp malware saga The first set of emails are generic fake payment messages. The second set pretends to be a HSBC order confirmation Your TX ID PPX001066 coming from Marissa Smith <suc7=gmail.com@mail52.atl91.mcsv.net>; on behalf of; Marissa Smith <suc7@gmail.com> Your TX ID PPX001066 coming from Marissa Smith <suc7=gmail.com@mail97.sea61.rsgsv.net>; on behalf of; Marissa Smith <suc7@gmail.com> Document’s 04/04/2018 10:29 AM … Continue reading →

fake “Your Sage subscription invoice is Due” email delivers Gozi /Ursnif / ISFB banking trojan

Posted on 27 March 2018 5:21 pm by Myonlinesecurity28 March 2018 12:44 pm

An email with the subject of Your Sage subscription invoice is Due pretending to come from Sage but coming from jamie@infographic.pictures with a link to download a malicious word doc delivers Gozi /Ursnif / ISFB banking trojan They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not … Continue reading →

Japanese language fake invoice malspam using macro laden XLS files continue to deliver Ursnif banking Trojans

Posted on 14 June 2017 8:30 am by Myonlinesecurity14 June 2017 8:30 am

It looks like the Japanese malspams are still continuing to deliver Ursnif /Gozi / ISFB banking Trojans. This one is yet another fake invoice email with the subject of 請求書添付書類について (About invoice attachment documents) , pretending to come from random Japanese email addresses with a malicious Excel XLS attachment that contains macros They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. As is … Continue reading →

another ursnif attempt from Japanese language malspam using ole objects

Posted on 13 June 2017 9:55 am by Myonlinesecurity13 June 2017 9:55 am

Still sticking with Japanese malspams downloaders delivering or trying to deliver Ursnif /Gozi / ISFB banking Trojan is yet another email with the subject of Re: [お振込口座変更のご連絡 Re: [Notice of transfer account change , pretending to come from random Japanese email addresses with a malicious word doc attachment that contains embedded ole objects where you have to manually click on the blurry image rather than macros auto-running to infect you. I am not sure if all the copies pretend to be related to Japan Trust Co., Ltd or whether there will be the usual multitude of subjects and random body … Continue reading →

more Japanese language invoice malspam delivering Ursnif

Posted on 12 June 2017 10:45 am by Myonlinesecurity12 June 2017 10:45 am

Yet another in the never ending series of Japanese language malspam malware downloaders delivering Ursnif /Gozi / ISFB banking Trojan is this email with the subject of 請求書 (invoice). These emails are coming in slightly malformed and outlook doesn’t want to open them or display them properly. This might be a language encoding issue and Japanese recipients will have no problems opening them. When delivered as a working email, these deliver Ursnif / Gozi / ISFB banking Trojan I can see the content on the mail server, but outlook seems to have difficulty actually displaying the full content. It only shows the … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: ISFB