Tag: spam | My Online Security

trickbot via fake HSBC Payment Advice

Posted on 7 December 2018 12:43 pm by Myonlinesecurity8 December 2018 6:23 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Payment Advice Ref: 2 / Customer Ref: P” pretends to come from HSBC but actually comes from “DoNotReply@pa-hsbc.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. Today they are using XLS Excel spreadsheet files. It looks like there might be some changes to the Trickbot modules & binaries today. We haven’t seen any Trickbot targeting … Continue reading →

Ursnif campaign hitting UK imitating well known companies

Posted on 7 December 2018 7:15 am by Myonlinesecurity7 December 2018 7:15 am

We are seeing an Ursnif /Gozi /ISFB campaign hitting the UK since yesterday. I was first alerted by this Twitter post. I started to investigate quickly last night and several much better researchers and analysts have taken over and found much more details. I posted some basic details in THIS Tweet. Then the main analysis appears via THIS. Whichever bad actor is running this campaign is using extremely good social engineering tricks to imitate multiple well known companies to persuade the recipient to follow the links and get infected. Anyway back to this morning and Ursnif /Gozi /ISFB continues to … Continue reading →

Lokibot campaigns continue with some changes to C2 urls

Posted on 7 December 2018 6:12 am by Myonlinesecurity7 December 2018 6:12 am

Seeing some changes to Lokibot with this malware delivery campaign overnight. I don’t know if it is a complete change to the C2 url naming convention or whether it is only this particular actor using a different C2 url naming convention. Generally with Lokibot the quickest & easiest way to identify it, is the “fre.php” in the C2 URL. Today we are seeing “cat.php”. The delivery email with the subject of Request For Invoice pretending to come from sales@kumarequipment.net with a malicious word doc attachment that contains an RTF exploit is typical of common malware delivery methods that is currently being used … Continue reading →

More Fake DHL invoices delivering Remcos RAT via office XML files

Posted on 30 November 2018 6:10 am by Myonlinesecurity30 November 2018 6:10 am

An old favourite lure with this email with the subject of “DHL Shipping of Original invoice B/L dated 26/10/2018” pretending to come from DHL EXPRESS – < noreply@dhl.com > with a malicious word doc attachment delivers Remcos RAT The idea of Fake DHL invoices or delivery notes is nothing new. What is different about this campaign is the way the criminals are using non standard Office XML files with base 64 encoded sections containing the macros instead of proper office ( word) docs. These still open in Microsoft Office and will run. They still open in Protected view mode, so … Continue reading →

trickbot via fake Danske Bank Transaction Report – Important Information!

Posted on 21 November 2018 6:18 pm by Myonlinesecurity21 November 2018 6:18 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of ” Transaction Report – Important Information! ” pretends to come from Danske Bank but actually comes from “danske.bank@danskebankcom.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment. today again they are using XLS Excel Spreadsheet files Danske Bankhas not been hacked or had their email or other servers compromised. They are not sending the emails to … Continue reading →

Fake Payment Receipt delivers Nanocore RAT malware

Posted on 21 November 2018 5:11 am by Myonlinesecurity21 November 2018 5:11 am

We frequently see this sort of generic Malicious Spam email with an office file attachment that acts as a downloader for all sorts of malware. Today’s example is an email with the subject of [Your Email Address] RE:Payment Receipt for your reference!! pretending to come from Tengku Aishah <suntrade@fareast.net.th> with a malicious Excel XLS spreadsheet attachment delivers Nanocore RAT I don’t normally bother with posting all of them and normally just tweet about them to a group of researchers. However today’s version is slightly different to the run of the mill ones. Generally we see this type of email using Word … Continue reading →

trickbot via Fake NatWest BankLine Support “FW: Recent Activity “

Posted on 20 November 2018 12:29 pm by Myonlinesecurity20 November 2018 12:29 pm

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: Recent Activity ” pretends to come from Lorna Davis at NatWest Bankline but actually comes from “donotreply@bankline-reports.co.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment Today again they are using XLS ( Excel Spreadsheet) files. NatWest Bankline has not been hacked or had their email or other servers compromised. They are not sending the … Continue reading →

Trickbot via fake Bank of America Merrill Lync “FW: Updated Account Transactions “

Posted on 20 November 2018 6:07 am by Myonlinesecurity20 November 2018 6:07 am

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: Updated Account Transactions ” pretends to come from somebody named Michael L. Lucia at Bank of America Merrill Lync but actually comes from “michael.lucia@secmail-bofa.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These have a malicious office file attachment, this one has an XLS (Excel Spreadsheet) file attachment. Bank of America Merrill Lync has not been hacked or had their email or … Continue reading →

trickbot via fake Lloyds Bank “Important : please review attached document(s) “

Posted on 16 November 2018 12:30 pm by Myonlinesecurity17 November 2018 7:04 am 6

This example is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “Important : please review attached document(s) ” pretends to come from Lloyds Bank but actually comes from “donotreply@lloydsbankdocs.com” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have either a malicious office file attachment Lloyds Bank has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims … Continue reading →

Fake Lloyds Bank FW: Confidential documents delivers Trickbot via complicated download mechanism

Posted on 14 November 2018 1:29 pm by Myonlinesecurity15 November 2018 4:03 am 1

This is today’s latest spoof or imitation of a well-known company, bank or public authority delivering Trickbot banking Trojan. The email with the subject of “FW: Confidential documents” pretends to come from Lloyds Bank, but actually comes from “Robina.Bennett@lloydsbankonline.uk” which is a look-a-like, typo-squatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. These all have a link to download the malicious Word Doc from a remote website. We are back to a slightly more complicated or involved Trickbot download campaign today with links in the email to download the word doc instead of … Continue reading →

My Online Security

Keep yourself safe online

Tag Archives: spam