Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F]
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Bertha Hahn
Anglia Engineering Solutions Ltd
Tel: 01469 382553
There are currently 4 variants all of which were zero hour (0 hour) detected by:
Sanesecurity.Malware.24631.XlsHeur
Additionally Sanesecurity.Rogue.0hr.20141210-1026 blocks the following hashes on VirusTotal and
currently all not detected by any of the 56 Virus Scanners:
061930c8fc246872dda3af5670d3ea44
20a66473d970a3b91aa0e6184e6d7e76
b5153a417ab4e4a2017a08909c771dfd
ed3f7389bd63fb1dd6c35279e7009046
Cheers,
Steve
www.sanesecurity.com
9 comments:
We've just had hundreds of these come in. Spreadsheet payload for ours is at hxxp://41.0.5.138:8080/stat/lld.php
Had 3 already!
Just had two emails exactly the same as this come through. Different senders.
Received this too!!!!!
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Fran Cardenas
Anglia Engineering Solutions Ltd
Tel: 01469 582108
Received this too!!!
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Fran Cardenas
Anglia Engineering Solutions Ltd
Tel: 01469 582108
I had this, this morning. Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Isaias Mercer
Anglia Engineering Solutions Ltd
Tel: 01469 468592
11:56am on 10/12/2014
I have had 2 fake e-mails in the last hour, both purporting to come from Anglia Engineering Solutions. One was from Sharron ether Nielsen or Nielson ( I can't remember, I deleted it), the other from "Katharine Sullivan" according to the return address in the header info.
Anglia . . . is a genuine company, and I believe that they know nothing about this scam. The fake e-mails include phone numbers starting 01469, which is correct for Anglia, but the rest of the number does not appear to correspond with the correct Anglia phone number.
A few days ago I had one referring to martechnology.co.uk. Martechnology is another genuine company, and in this case it may be significant that "martechnology" is part of my e-mail address and has been since the mid 90s.
In all cases there has been no attachment, either XLS or any other type.
In case anyone can make out where these are coming from and how to put a stop to it, I repeat below the complete text including all header info for the last one received.
================
From:
"Katharine Sullivan"
Save Addresses
To:
mp@martechnology.freeserve.co.uk
Date: Dec 10 2014, 11:33 AM
Subject:
Remittance Advice from Anglia Engineering Solutions Ltd [ID 953387A]
Close full header
Return-Path:
Received: from mwinf5c09 (mwinf5c09 [10.223.111.59])
by mwinb3503 with LMTPA;
Wed, 10 Dec 2014 12:33:10 +0100
X-Sieve: CMU Sieve 2.3
Received: from AGC114SUPERXP.att.net ([64.160.76.12])
by mwinf5c09 with ME
id RnWE1p00E0FvJzC01nWE9E; Wed, 10 Dec 2014 12:33:10 +0100
X-bcc: martechnology@freeserve.co.uk
Envelope-to: mp@martechnology.freeserve.co.uk
X-ME-bounce-domain: martechnology.freeserve.co.uk
X-ME-engine: default
X-me-spamcause: (0)(0000)gggruggvucftvghtrhhoucdtuddrfeejiedrgedtgddvjecutefuodetggcurfhrohhfihhlvgemucfogfenuceurghilhhouhhtmecugedttdenucenucfju
ghrpefhvffurhgtggfkffesrgdtfegstddtjeenucfhrhhomhepfdfmrghthhgrrhhinhgvucfuuhhllhhivhgrnhdfuceonfgrughonhhnrgdrieelkedtsegrthhtrdh
nvghtqe
X-me-spamlevel: not-spam
X-ME-Helo: AGC114SUPERXP.att.net
X-ME-IP: 64.160.76.12
X-ME-Entity: ouk
From: "Katharine Sullivan"
To: mp@martechnology.freeserve.co.uk
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 953387A]
Reply-To: "Katharine Sullivan"
Content-Type: multipart/alternative; boundary="----=_Part_37356545_9532428387.8540982024441"
MIME-Version: 1.0
Message-Id: <20141210033014.031001653774@AGC114SUPERXP.att.net>
Date: Wed, 10 Dec 2014 03:30:14 -0700
Dear ,
We are making a payment to you.
Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014.
If you have any questions regarding the remittance please contact us using the details below.
Kind regards
Katharine Sullivan
Anglia Engineering Solutions Ltd
Tel: 01469 679017
Also received two of these. Only worry, there is an attachment which I cannot find in the message. Have they found a way of disguising the attachment, so that if I click anywhere on the message I get infected?
I just spoke to Anglia Engineering who apologised and were unhappy that this had occurred although the 700 phone calls they've had today proves that if you want to reach lots of people get someone to fake a payment from your company. I gather this problem is in a hidden macro which autoruns if you open the file. I've not comae across this for some years so I expect less experienced folks will fall prey.
Rick
Post a Comment