{"id":11366,"date":"2022-04-11T06:35:33","date_gmt":"2022-04-11T06:35:33","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11366"},"modified":"2023-04-03T10:28:59","modified_gmt":"2023-04-03T10:28:59","slug":"fake-true-telecom-invoice-for-august-2017-delivers-globeimposter-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/fake-true-telecom-invoice-for-august-2017-delivers-globeimposter-ransomware\/","title":{"rendered":"Fake True Telecom Invoice For August 2017 Delivers Globeimposter Ransomware"},"content":{"rendered":"
The next in the never ending series of malware downloaders is an email with the subject of 45653946 \u2013 True Telecom Invoice for August 2017 ( random numbers) pretending to come from billing@true-telecom.com. This is coming via the Necurs botnet but instead of delivering Locky today, this 2nd malspam run is delivering Globeimposter ransomware<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment.<\/p>\n
In the same way that today\u2019s earlier malspam run<\/strong> (https:\/\/myonlinesecurity.co.uk\/fake-invoice-inv-000379-from-property-lagoon-limited-for-gleneagles-equestrian-centre-delivers-locky-ransomware\/) that delivered Locky ransomware, these have a link in the body to download the zip and a zip ( 7z) attachment as well<\/p>\n 2017-08-45653946-Bill.7z: 2017-08-41840179-Bill.vbs Current Virus total detections: Payload Security | Another version ( VirusTotal) | (Payload Security ) | downloaded & xor\u2019d binary VirusTotal | Payload Security |<\/p>\n true-telecom.com<\/strong> has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n I have no idea who Deborah Day is, but assume she is an innocent victim who has had her bill intercepted and used as the template for this malware delivery method<\/p>\n One of the emails looks like:<\/p>\n From:<\/strong> billing@true-telecom.com<\/p>\n Date:<\/strong> Mon 04\/09\/2017 14:53<\/p>\n Subject:<\/strong> 45653946 \u2013 True Telecom Invoice for August 2017<\/p>\n Attachment:<\/strong> 2017-08-45653946-Bill.7z<\/p>\n Dear Deborah Day<\/em><\/p>\n We have attached your latest True Telecom bill for August 2017.<\/em> To be able to read your invoice file you will require the Adobe Acrobat PDF viewer. You August already have this installed,<\/em> Payments made by direct debit will be collected 14 days from the date of the Bill.<\/em><\/p>\n If you wish to contact us, please do not hesitate to get in touch with one of our friendly customer services agents.<\/em><\/p>\n Telephone: 0800 840 40 60<\/em> Please be advised that this is an unmonitored email address.<\/em><\/p>\n With Kind Regards,<\/em><\/p>\n The True Telecom Team<\/em> True Telecom Ltd is registered in England and Wales No. 08225783.<\/em> This communication together with any attachments transmitted with it (\u201cthis E-Mail\u201d) is intended only for the use of the addressee and August contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. <\/em><\/p>\n The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. <\/em><\/p>\n The Company only guarantees service in accordance with the service charter. The company accepts no liability for failure of hardware after the termination point. For the purposes of this E-Mail \u201cthe Company\u201d is the trading name of True Telecom Ltd. True Telecom Ltd (Registered in England & Wales No. 08225783)<\/em><\/p>\n <\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\nBody Content:<\/strong><\/h3>\n
\nView your bill online<\/em><\/p>\n
\nif not please visit the Adobe website and download their free viewer.<\/em><\/p>\n
\nFax: 0844 779 2253<\/em>
\nEmail: customerservice@true-telecom.com<\/em><\/p>\n
\nwww.True-Telecom.com<\/em><\/p>\n
\nHead Office address: Ground Floor,Lakeview West, Galleon Boulevard, Crossways Business Park, Dartford, Kent, DA2 6QE<\/em><\/p>\nScreenshot:<\/strong><\/h3>\n