Tag: spam | My Online Security

False Invoice Due email with password protected attachment delivers malware

Posted on 17 August 2018 6:25 am by Myonlinesecurity17 August 2018 6:25 am

This generic email with the subject of “Invoice Due” coming from help@simplexhealthcare.info with a malicious password protected word doc attachment does eventually deliver some sort of malware. Recently password protected word docs have been delivering some sort of Ransomware frequently Hermes Ransomware via Azorult intermediate download. This is probably Azorult on the first stage, based on the file name azo.exe but I can’t see any encryption happening using the online sandboxes. It probably is Hermes ransomware based on the file names. These criminals don’t tend to be very original. The details in this campaign do match the details shown in this … Continue reading →

Fake DHL delivery notification Agent Tesla Keylogger

Posted on 16 August 2018 5:23 am by Myonlinesecurity16 August 2018 5:23 am

Yet another fake or spoofed DHL delivery notification delivering what looks like Agent Tesla keylogger. An email with the subject of “Vessel Schedule ETD:AUG 26 ,ETA:SEP 20” coming from Donald Townsend <comercial@twistermedical.com> with a zip ( rar) attachment which delivers what looks like Agent Tesla keylogger They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. At first glance, you think how can somebody be fooled by … Continue reading →

Fake HMRC “Submission 5DW8 F36N MG2A 9HJ not processed ” delivers trickbot

Posted on 15 August 2018 3:10 pm by Myonlinesecurity15 August 2018 3:10 pm

Today’s Trickbot campaign is a pretty lame example from this prolific malware gang. The email containing the subject of “Submission 5DW8 F36N MG2A 9HJ not processed ” pretending to come from noreply.taxreg@notifications.hmrc.gov.uk but actually coming from “noreply.taxreg@notification-hmrc-gov.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, containing a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email is very badly done and doesn’t look anything like a genuine HMRC email and definitely is not up to the … Continue reading →

Fake “You have received a Secure Doc message from Citi Secure Email Server” delivers Trickbot

Posted on 14 August 2018 7:48 pm by Myonlinesecurity14 August 2018 7:48 pm

This example is an email containing the subject of ” You have received a Secure Doc message from Citi Secure Email Server ” pretending to come from Citi Group but actually coming from “noreply@securemailcenter-citigroup.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. As in today’s earlier example of Trickbot targeting the UK, this also copies the system default PowerShell files to the user temp folder and runs it from … Continue reading →

Fake “Scanned from a Xerox Multifunction Printer ” delivers Trickbot

Posted on 14 August 2018 12:18 pm by Myonlinesecurity14 August 2018 12:18 pm 2

Yet another change to the Trickbot Banking Trojan distribution system again today. Today the Trickbot gang are pretending that a scanner or multifunction device is emailing you a scanned document. We used to see this lure all the time from other malware distribution services, but they generally pretended that the email was coming from a device on your network, not a remote server like this example of Trickbot banking Trojan. This example is an email containing the subject of “Scanned from a Xerox Multifunction Printer ” pretending to come from Xerox Device but actually coming from “service@scandevice.uk” which is a look-a-like, typo-squatted or … Continue reading →

419 scam with a Java Adwind payload

Posted on 14 August 2018 6:34 am by Myonlinesecurity14 August 2018 6:34 am

For a change we have a slightly unusual hybrid mish-mash, combination of a 419 scam and a Java Adwind malware delivery. It is common to see Java Adwind delivered by fake financial emails or by fake parcel delivery notices. To my recollection this is the first time that a working 419 scam and a malware delivery have been knowingly combined. I don’t know whether this was intended to be a malware delivery method or whether the sending server is infected and adding the malware to all emails sent from that account. I don’t normally post much about Java Adwind / Java … Continue reading →

Fake HMRC “Critical Notice: Statement of Liabilities” delivers Trickbot

Posted on 13 August 2018 5:07 pm by Myonlinesecurity13 August 2018 5:07 pm 1

This example is an email containing the subject of “Critical Notice: Statement of Liabilities” pretending to come from HMRC but actually coming from “service@hmrcemail.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site, with a malicious word doc attachment is today’s latest spoof of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email is a typical spoofed HMRC email delivering Trickbot banking trojan, that we see very frequently, saying you owe large sums of money and see the details in the attached document. The delivery chain for the … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam