{"id":10997,"date":"2022-04-01T04:57:30","date_gmt":"2022-04-01T04:57:30","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=10997"},"modified":"2023-04-05T13:50:18","modified_gmt":"2023-04-05T13:50:18","slug":"spoofed-standard-bank-payment-confirmation-delivers-locky-aesir","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/spoofed-standard-bank-payment-confirmation-delivers-locky-aesir\/","title":{"rendered":"Spoofed Standard Bank Payment Confirmation Delivers Locky \u2013 Aesir"},"content":{"rendered":"
The next in the long, long line of never ending Locky downloaders is an email with the subject of Payment confirmation 7477 ( random numbers) pretending to come from Standard Bank <ibsupport@standardbank.co.za>. Quite why they think a large number of UK residents will have a South African bank account is a bit beyond me, but of course many click happy recipients will fall for it & get compromised and have all their files encrypted.<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
23 November 2021: PaymentConfirmation7477.zip : Extracts to: wbxz7lyfob8mwyygqstzfffj7aere8wz.js Current Virus total detections<\/a>: MALWR shows a download of an encrypted file from which is converted by the script to OYxgQhzazR1.dll ( VirusTotal<\/a>) Payload Security<\/a> Looks like this is the same Locky payload as earlier examples today. They have used the 08yhrf3 download file name in several of today\u2019s examples<\/p>\n They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> Standard Bank <ibsupport@standardbank.co.za><\/p>\n Date:<\/strong> Wed 23\/11\/2021 15:39<\/p>\n Subject:<\/strong> Payment confirmation 7477<\/p>\n Attachment:<\/strong> PaymentConfirmation7477.zip<\/p>\n Dear Customer A payment has been made to your account. To view the details of the payment, please open the attached PDF file. You may require Adobe Acrobat Reader on your computer to open the PDF file. If you do not have this software, you can\u00a0download\u00a0it free of charge. If you have any questions or would like more information, email\u00a0ibsupport@standardbank.co.za<\/strong>\u00a0or call our Customer Contact Centre on\u00a00860 123 000.<\/strong>\u00a0If you are calling from outside South Africa, call\u00a0+27 11 299 4114 .<\/strong>\u00a0Our consultants are available between 8am and 9pm on weekdays, and 8am and 4pm on weekends and public holidays. The Internet banking Team<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/td>\n<\/tr>\n These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about \u00a3350\/$400) to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n Previous campaigns over the last few weeks have delivered numerous different download sites and malware versions. There are frequently 5 or 6 and even up to 150 download locations on some days, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions. Dridex \/Locky does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware or Banking password stealer Trojans.<\/p>\n This is another one of the files that unless you have \u201cshow known file extensions enabled<\/a>\u201c, can easily be mistaken for a genuine DOC \/ PDF \/ JPG or other common file instead of the .EXE \/ .JS file it really is, so making it much more likely for you to accidentally open it and be infected.<\/p>\nBody Content<\/strong>:<\/h3>\n
\n\n
\n \n \n\n
\n Internet banking payment confirmation<\/strong><\/p>\n \n <\/td>\n<\/tr>\n \n Copyright Standard Bank. All rights reserved. Standard Bank of South Africa Limited (Reg. No. 1962\/000738\/06). Authorised financial services provider. Registered credit provider (NCRCP15).\u00a0Disclaimer and confidentiality note:<\/strong>\u00a0Everything in this email and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group. It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content. The person addressed in the email is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read disclose or use the content in any way. Standard Bank cannot assume that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. For our\u00a0privacy policy\u00a0or information about the Standard Bank group visit our website at\u00a0www.standardbank.co.za.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n