Just receiving a whole load of these faked AquAid invoices containing an embedded macro:
From: "Tracey Smith"
Subject: Card Receipt
Date: Thu, 18 Dec 2014 09:26:42 +0200
Hi
Please find attached receipt of payment made to us today
Regards
Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone: 0121 525 4533
Fax: 0121 525 3502
Mobile: 07795328895
Email: tracey.smith@aquaid.co.uk
Two variants at the moment... VirusTotal reports:
a881b1031959d5dae6352f31b6ba2df3 (2/56)
eb6db8890657f982118699f019812fdd (1/53)
Detection:
Sanesecurity.Malware.24670.DocHeur (phish.ndb)
Sanesecurity.Rogue.0hr.20141218-0835 (rogue.hdb)
The embedded macro can be seen here (pastebin)
Malwr report can be seen here (Malwr)
One sample tries to connect to two hosts:
74.208.11.204 (USA)
81.169.156.5 (Germany)
Cheers,
Steve
Sanesecurity.com
41 comments:
So did I about an hour ago
One of my colleagues has just received one of these also. It's a scam.
Thanks for this! I got this one this morning too. Figured it was a scam of some sort so didn't open the document but as the company address was legitimate and near to me it did have me second guessing.
I had one too. Glad I saw this
Me too
Received one this morning looks credible deleted it thank you for alerting us
Yup, my whole company email has received this email.
i just had this aswell - i deleted it but one of my colleagues opened it and the document on their phone (iphone 5s), could this have any effect?
I got one of these too this morning.
Sadly its nothing new for sick individuals who attempt to pretend to represent a charitable organisation in order to weedle their way into your system. What goes around keeps coming around. Lovely cretins.
yes... get it a few minutes ago....
George A. Rauscher
http://www.george.li
Me too, glad I saw this. Have deleted.
I had this at 8:36 today it looked very much like a virus/malware
Several in company getting it this morning. This latest of several similar emails from differing senders received over last few days with microsoft word attachments.
So did i 8:56am GMT
I opened the attached document on my iPhone, will this have any effect?
I opened the document on my iPhone, will this have any effect?
Just got this email too, why are people so ugly.
This blog is wonderful, thanks!
I just had two of these, whats wrong with these Amoebas
Thank you for this! I have received one this morning too.
However, i have tried to open on my iphone and ipad. Will this have an impact on my devices?
I've only realised it is a scam when i got prompted with the security warning that in the attachment are macros embedded.
Please can anyone let me know if it will have an impact on my devices? and if so what I need to do?
Thank you so much!!!
Thank you for posting this! I also received the email.
However, i have tried to open it on my iphone and ipad. Will this have an impact on my devices?
I have only realised when I went over to my laptop and a message alerted me of the macros which are embedded in the attachment.
I would be very grateful if someone could let me know if that will have an impact on my devices? and if so, what do I need to do to get rid what was installed?
Thank you so much!!!
Thanks to whoever started this thread. Got the email too just now. Thank heavens we're all working to minimise the impact of these scum scammers.
To those that have opened it, runs virus scan and removal now. There are some great free ones available for all machine and mobile types. It won't be the only thing you have on there. And then, never open emails again from people you don't know or haven't subscribed too.
Keep up the good fight all!
Yes, I've just received this identical email with attachment "CAR014151239.doc (130KB)" ... 18/12/14 09.59
Thanks for posting this - I just received that email.
yes me too loads of them
got 2 this morning deleted even if Avira professional report of the doc attached was negative
I got the thing too - timed at 0753 this morning. A professional looking email too. The presence of name, address, phone no and award logos make it look much more credible than many. But as I have never ordered any water from anybody, it still didn't feel right. A quick Google, and hey presto! Thanks everyone.
Everyone in our company also received this email this morning.
I opened the file ,then realised that it was probably a scam and immediately closed it I run Mcafee Internet security on my PC, no warnings came up, will it detect this or is it new??
does anybody know what it does and how I can check and remove it
In that pastebin marco:
Line 527: Downloads bin.exe from sardiniarealestate(dot)info and writes it to %TEMP%\YEWZMJFAHIB.exe
Line 1381: Executes the downloaded file
It does a few other things (Lines 638/639, 745, 853, 961), but I'm not going to deobfuscate those strings by hand.
I received the same e-mail with the same Word document containing a macro.
It is a scam.
AquAid here – we are very, very sorry about the trouble this has caused. Our servers were have been hacked and the problem should now be resolved, but I am fully aware that doesn’t help all the people who have already received emails infected with a virus.
Apologies again.
Peter Hansen
Group Manager
AquAid
Devious and more convincing than the usual scam emails. I can see why perfectly reasonable and seasoned email users could fall for this one. This is a most useful blog from which we can all benefit. David Foley. East Kent Chamber of Commerce
I have opened it on my phone and emailed back, can they get anything of my phone??
I received one today and I replied back on my phone, will they be able to get anything from of my phone
I just got the email about 30 minutes ago so it's still doing the rounds.
Looks very convincing and if you go to Aquaid website the individual is an 'actual' person.
I tried phoning but engaged. I guess the switchboards are jammed.
Just received one today - googled the mobile number straight away and found this site. Now deleted email. Thanks guys!
If you opened it on a phone it should be fine- its only attacks Windows PCs at the moment.
Our Managing director also received this email several times today. We are a wholesaler and do purchase this kind of product frequently. Luckily he knew he had never ordered from Aquaid so didn't open the attachment. Also tried to call Aquaid but the line was engaged.
Very clever individuals hacking their servers and sending these directly from their mail server by the look of it. Hopefully everyone receiving this email will have Googled it and found this thread.
We received it today and opened it up will it have any affect on the phone thx
Post a Comment