{"id":14761,"date":"2022-04-12T06:15:29","date_gmt":"2022-04-12T06:15:29","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=14761"},"modified":"2023-04-04T09:56:01","modified_gmt":"2023-04-04T09:56:01","slug":"january-balance-785-j-thomson-colour-printers-js-malware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/january-balance-785-j-thomson-colour-printers-js-malware\/","title":{"rendered":"January Balance \u00a3785 J Thomson Colour Printers \u2013 JS Malware"},"content":{"rendered":"
The Dridex bots are really trying it on again today. They are once again spoofing Alison Smith of J Thomson Colour Printers with an email with the subject of January balance \u00a3785 pretending to come from Alison Smith <ASmith5AC@jtcp.co.uk> with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer.<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
I really don\u2019t know how they expect to actually get ,many victims with this one, because Outlook along with most other email clients block JavaScript ( .js) files sent via email and don\u2019t allow a user access to them without a lot of effort<\/p>\n
The email looks like:<\/p>\n
From:<\/strong> Alison Smith <ASmith5AC@jtcp.co.uk><\/p>\n Date:<\/strong> Thu 04\/02\/2021 08:46<\/p>\n Subject:<\/strong> January balance \u00a3785<\/p>\n Attachment:<\/strong> IN161561-201601.js<\/p>\n Hi Rosie,<\/em><\/p>\n Thank you for your recent payment of \u00a3672.<\/em><\/p>\n It appears the attached January invoice has been missed off of your payment. Could you please advise when this will be paid or if there is a query with the invoice?<\/em><\/p>\n Regards<\/em><\/p>\n Alison Smith<\/em><\/p>\n Assistant Accountant<\/em><\/p>\n Registered in Scotland 29216<\/em><\/p>\n 14 Carnoustie Place<\/em><\/p>\n Glasgow G5 8PB<\/em><\/p>\n Tel: 0141 429 1094<\/em><\/p>\n www.jtcp.co.uk<\/em><\/p>\n P Save Paper \u2013 Do you really need to print this e-mail?<\/em><\/p>\n These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details.<\/p>\n jtcp.co.uk J Thomson Colour printers has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails<\/p>\n All the alleged senders, companies, names of employees and phone numbers mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n Please read our How to protect yourselves page<\/a> for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.<\/p>\n You can now send any suspicious files for examination by the antivirus companies via our submission system<\/p>\n 4 February 2021: IN161561-201601.js Current Virus total detections: MALWR shows a download from http:\/\/ejanla.co\/43543r34r\/843tf.exe which is highly likely to be Dridex banking malware1<\/p>\nBody Content:<\/strong><\/h3>\n
Screenshot:<\/strong><\/h3>\n