{"id":10827,"date":"2022-04-12T05:54:11","date_gmt":"2022-04-12T05:54:11","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=10827"},"modified":"2023-04-03T10:08:10","modified_gmt":"2023-04-03T10:08:10","slug":"fake-sagepay-subscription-emails-via-mailchimp-mailing-list-systems-delivering-gootkit-banking-trojan","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-sagepay-subscription-emails-via-mailchimp-mailing-list-systems-delivering-gootkit-banking-trojan\/","title":{"rendered":"Fake SagePay Subscription Emails Via MailChimp Mailing List Systems Delivering Gootkit Banking Trojan"},"content":{"rendered":"
I have been seeing a steady trickle of these Fake SagePay subscription emails over the last few days. Until today all copies I saw didn\u2019t lead anywhere with the links already dead by the time I had received the email. Today, either I was much quicker or the downloads and the compromised mailing list have stayed active for longer.<\/p>\n
An email with the subject of Sage Soft Subsc pretending to come from Oxfordshire Sage Support with a link in email body which downloads a zip file containing a JavaScript file which in turn downloads Gootkit banking trojan<\/p>\n
These all come via legitimate mailing lists that are run by Mailchimp. I am sure none of the senders are knowingly sending these and it looks like the criminals must either be using stolen credentials to log in to the Mailchimp system & send this malspam or have found some vulnerability on the MailChimp system in order to do it. All the links in the email go to the MailChimp system and are then diverted to the malware site.<\/p>\n
I am not sure how these mailing lists got the email address these were sent to. To the best of my knowledge the recipient\u2019s email address was never signed up to any of the organisations or companies that have been misused in this malware campaign. The criminals must just be using a set of randomly chosen email addresses that they have obtained elsewhere. It is very unlikely that the recipient\u2019s email addresses are genuinely on these mailing lists or have subscribed to them.<\/p>\n
Today\u2019s one has used oxfordshiremind.org.uk. A couple of days ago they came from The Sage Group <john=jlstudios.co.uk@mail165.sea51.mcsv.net>; on behalf of; The Sage Group <john@jlstudios.co.uk> ( that one was down by the time I received the email)<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
One of the emails looks like:<\/p>\n
From:<\/strong> Oxfordshire Sage Support <shortcourses=oxfordshiremind.org.uk@mail162.suw18.rsgsv.net> on behalf of; Oxfordshire Sage Support <shortcourses@oxfordshiremind.org.uk><\/p>\n Date:<\/strong> Fri 19\/01\/2021 08:55<\/p>\n Subject:<\/strong> Sage Soft Subsc<\/p>\n <\/p>\n Sage Subscription<\/em> Payment of this invoice will be taken by DirectDebit in accordance with your agreed terms.<\/em> For our list to remain compliant with MailChimp\u2019s policies, we need you to verify your subscription settings and expressly let us know you want to receive our emails. If you take no action, your address will be removed from our list and you won\u2019t receive email from us again. To remain on our list, please confirm your subscription:<\/em> \u00a9 2021 Oxfordshire Mind<\/em> Unsubscribe<\/em><\/p>\n Screenshot<\/strong>:<\/span><\/p><\/blockquote>\n <\/p>\n In this case the email link goes to https:\/\/oxfordshiremind.us6.list-manage.com\/track\/click?u=a68404bc5fcce8549fac48a31&id=f704abab28&e=13b4786e1c<\/strong> where it redirects you to http:\/\/www.coderhm.com\/enclosed_document.html?d=1<\/strong> where it downloads \u201cdocument invoice -ddt-g.zip\u201d<\/strong><\/p>\n document invoice -ddt-g.zip : Extracts to: document invoice -ddt-g.js Current Virus total detections: Hybrid Analysis | Anyrun Beta |<\/p>\n This malware file downloads from http:\/\/86.110.118.113\/1013_cr.exe VirusTotal | Anyrun Beta | Hybrid Analysis |<\/p>\n These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about \u00a3350\/$400) to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\nBody Content<\/strong>:<\/h3>\n
\nINVOICE<\/em>
\nINVOICE=INV937477<\/em>
\nDUE DATE<\/em>
\n26\/01\/2021<\/em>
\nBALANCE DUE<\/em>
\n875.15 GBP<\/em>
\nDear Client<\/em>
\nPlease follow the link to find your invoice. We appreciate the immediacy of your payment.<\/em>
\nGet attached Invoice<\/em><\/p>\n
\nSincerely Yours,<\/em>
\nThe Sage Subscription Team<\/em><\/p>\n
\nConfirm Subscription<\/em><\/p>\n
\nYou are receiving this email as a supporter of Oxfordshire Mind.<\/em>
\nOxfordshire Mind 2 Kings Meadow Osney Mead Oxford, Oxfordshire OX2 0DP United Kingdom<\/em><\/p>\n