Wednesday, 18 February 2015

Thank you for your payment nycserv@finance.nyc.gov with zip attachment.

Thank you for your payment nycserv@finance.nyc.gov with zip attachment.

Message Header: 
From: {nycserv@finance.nyc.gov}
Subject: Thank you for your payment
Message Body:
This is confirmation that your payment on Wed, 18 Feb 2015 16:31:02 +0000 for 
USD 7900.00 has been
accepted by the NYC Department of Finance. Your Credit Card statement 
will show
an entry from Parking Fines NYCGOV. Please read the attachment and save 
it in case
you have any questions about the items that you have paid.

Name: sol chaimovits

Payment Date: Wed, 18 Feb 2015 16:31:02 +0000

Receipt Number: WWW81733157

Payment Amount: USD 7900.00

Credit Card: Visa

Account ending in: 3501

Your payment was for the following items:

Agency                             Item                              
Amount
------------------------------     --------------------     
---------------
PVO                                1160025162                        
USD 3000.00
PVO                                7247746580                        
USD 4500.00
DOF                                Convenience Fee                    
USD 400.00

Thank you for using New York City's website to process your payment.
Please do not reply to this email.  You may contact us by visiting
http://nycserv.nyc.gov/NYCServWeb/ContactUs.html if you have questions
or need further assistance.
Attachment filename:
attachment.zip

Inside the Zip file is a Windows Executable:
attachment.exe

Md5 Hashes:
5c28d3aeabf4685d3652c8864c02c08d  [1] (Zip)
31aae58c4eb6a0c7fe213322a8acd7fc [2] (Exe)

Malware  information:
VirusTotal Report [1] (hits 6/57 Virus Scanners) (Zip)
VirusTotal Report [2] (hits 6/57 Virus Scanners) (Exe)
Malwr Report [2] (exe)
Hybrid Analysis Report [2] (exe)  Detailed Technical Report
Description:
The malware in the zip is a trojan downloader largely referred to as Upatre. 

This download will then probably download it's parter in crime
Dyre.Dyre, is Zeus-like banking Trojan, which is trying to capture as much information about your online banking details as possible.

It's also being used to then send out the same malware to everyone else by using your own copy of outlook and your bandwith... and basically being a costly pain in the rear.

Cheers,
Steve

59 comments:

Anonymous said...

Just got this email through. Keep getting spam emails containing viruses and I'm not sure how they got my email address?

Anonymous said...

I just got this one, too.

Anonymous said...

Just received this exact email!!!
Hopefully everybody researches and finds this report before opening it.

Anonymous said...

Thank you for confirming this. I had same email looked bogus but believable. I knew enough not to click it

Anonymous said...

i got this exact email today.....

Anonymous said...

Just received this email at 12:21 ET 2/18/15.

Anonymous said...

I just got this email. Thanks to this blog, I deleted it immediately! Thank you!

Anonymous said...

Got this three times today. Exactly as shown. Blacklisted it in my spam filter.

Anonymous said...

Totally got this exact email, virus for sure

Anonymous said...

Received this just now, in the UK...

Anonymous said...

Me too I live in Canada

Anonymous said...

Never been to NY and live in Canada? But got this too !

Anonymous said...

I just received this email, as well. I don't live in NYC, and I've never driven in NYC, so I didn't download anything.

Anonymous said...

me too.. damn spammers

Anonymous said...

Got 2 exact same emails in New Zealand

Linda Evans said...

I got it too. Glad I checked!

Linda Evans said...

I got it too. I have a credit card that happens to have those last 4 numbers too so I checked. Glad I did.

Anonymous said...

Just got this as well on company email (based in CA)

Anonymous said...

I got this today too an deleted it immediately

Anonymous said...

Me too, the stress caused non-stop flatulence for nearly 48 hours so I called the police. Thanks

Anonymous said...

We have got this,too. From Hawaii:) NYC seems far far away.

Anonymous said...

Gracias por el sitio!!!nunca he conducido en NY. He llegado a pensar en suplantación de identidad, que susto!!ojo con otro: zona/jobs

Anonymous said...

I got this on my work e-mail. I wonder if this could be part of the cyber attack on Anthem BCBS.

anon said...

Just got same e-mail..... police said they were busy with some guy who had flatulence ... did not click on it :))

SM said...

Called NYC Finance and they said, they are aware of it and those emails were sent in error :-( the amount could be for 7,900 or 4,500 and lot of aggravation !!

Anonymous said...

Yep.. just received it to.. Wonder how many fall for it?

Anonymous said...

Thanks for the blog. Received email also.

Anonymous said...

Got it too...PA

Anonymous said...

Don't think it was sent in error if it contains a virus. Especially since the originating IP is in Mexico.

Acaa said...

I just got this too, thankfully didn't open it. Thanks for the blog

Joanne O'Connor said...

Hi all just got this email to What should I do .
Thanks all.

Anonymous said...

Just received it as well. I wish my antivirus would peek inside of zipped attachments.

The $400 line item is quite a hefty "convenience fee" for online NYC parking ticket payments. I wonder if that's what they really do charge...

Joanne O'Connor said...

Hi all just got this email to What should I do .
Thanks all.

omegacron said...

Joke's on them - I don't have a credit card. Or $7900 in the bank.

Anonymous said...

Just got this too and I'm in New Zealand not New York

Anonymous said...

I got this email this morning too. I'm in Australia and have never been to New York

Dorcas Iki said...

Got the exact email dated Thu 2/19/2015 3:12 AM. deleted straight away...Papua New Guinea

Dorcas Iki said...

Got this one this am Thu 2/19/2015 3:12 AM..

Anonymous said...

Got it in Hong Kong.

Anonymous said...

what happens if you open the attachment in a MAC? stills got infected?

Dall said...

Israelis...criminals from Israel, associated with banking cartels.

Anonymous said...

I got the same email. Checked all my credit card numbers first, no match. Then researched. I am in Texas. I went to NY 20 years ago and didn't drive a car. Thought something was fishy. Thanks for the info.

Anonymous said...

I suspected it as soon as I saw there was a .zip attached... But I checked my card online right away since all the hacking that's taking place.

Anonymous said...

What the hell . I thought I'd been had . UK

Anonymous said...

Just got this e-mail too, in Thailand. Thanks to this blog.

Anonymous said...

I got this email this morning too 1235am. I'm in Malaysia and have never been to new york

Anonymous said...

Received this just now, in the Spain

cindy said...

je viens d'avoir le même message mais pas ouvert le zip et j'habite en Belgique

Anonymous said...

Never been to NYC and live in London, UK. Received one of these this morning and just laughed.

Anonymous said...

Received via finance sector within educational environment in UK.

SM said...

Why would NYC lie that mails are sent in error? May be it should admit that the system was hacked or there is spam going on.

Anonymous said...

just received this exact email too on a business email glad I read this

Anonymous said...

I received this yesterday and immediatly burst into tears, and have since cried all the water out my body. I cant move now, just a dry, wrinkly skin-heap on the floor. Where is justice in the world? Cheers

Anonymous said...

same email , in belgium :D

Anonymous said...

Thanks I received the same mail here in the UK and so deleted the message and did not open the attachment due to checking the information you have here

Steve Quade said...

Just recieved this in Birmingham, England, and before opening it done a google search which came up with this site. Obviously deleted e'mail without opening it hopefully before any harm was done. Thanks for the advise.

Anonymous said...

I got this email too :)

Anonymous said...

Just receieved same email and ignore.

Brendan Murphy said...

Oh my god - is this for real - thank you just got this exact same email!