Friday, 26 June 2015

Notification of Vehicle Tax DD Payment Schedule (Ref: 000000-000005-274421-001)

 Notification of Vehicle Tax DD Payment Schedule (Ref:  000000-000005-274421-001) FG08OEE.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

From: directdebit@taxdisc.service.gov.uk
Subject: Notification of Vehicle Tax DD Payment Schedule (Ref:
 000000-000005-274421-001)

Message Body:

Important: Confirmation of your successful
Direct Debit instruction

Dear customer
Vehicle registration number: FG08OEE
Thank you for arranging to pay the vehicle tax by Direct Debit.
Please can you check that the details attached below, and your payment schedule are correct.
If any of the above financial details are incorrect please contact your bank as soon as possible.
However, if your details are correct you don’t need to do anything and your Direct Debit will be processed as normal. You have the right to cancel your Direct Debit at any time. A copy of the Direct Debit Guarantee is included with this letter.
For your information, the collection will be made using this reference, and this is how your payment will be detailed on your bank statements:
  • DVLA Identifier: 295402
  • Reference: FG08OEE
Your vehicle tax will automatically renew unless you notify us of any changes. We will send a new payment schedule at the time of renewal.
Yours sincerely

Rohan Gye
Vehicles Service Manager
Attachment:
FG08OEE.doc
Sha256 Hashes:
25e247c71cd4a50f5c97e3b69807faa5ac048da050c0180fd881f75d1577fe66 [1]
369c3e84e9a288b3f2df0672c3dd2eaa208c9d2e6ac10c36a04b9e3ff52f8b4d [2]
404a73f3cb148dfdd1e75aa498c7a8098352f4014eedf50c77db2c299bf70f24 [3]
a97b05797f326e8e8ba79f12d15a523096be31b13c19d7569b82995b957616ec [4]
fe9097d91e65bd70b4ae777e8fbdb139d39f0baadeca4ab40e9b584b002a2f1d [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/57)
VirusTotal Report: [2] (detection 4/57)
VirusTotal Report: [3] (detection 4/57)
VirusTotal Report: [4] (detection 4/57)
VirusTotal Report: [5] (detection 4/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

12 comments:

Stephen Secombe said...

Just received one of these emails at 08:47 this morning. Thanks for the information confirming my suspicions.

Anonymous said...

I received such eMail today - we are Cyech company. Thanks for confirming my suspicions.

Paul James said...

Received two of these emails at 8.49 and 10.04. Thanks for the post confirming this scam.

Clive Cope said...

Many thanks for the update - there are a load of tossers out there.

Clive

Anonymous said...

Thanks for this. I got the exact same mail 5 minutes ago and was immediately suspicious but there was nothing in the mail headers suggesting it was anything other than a mistake from the DVLA. Thankfully it's always possible to revoke a DD instruction even if the mail had been genuine!

Anonymous said...

Just got this email, Thanks for the information you posted here, I grew suspicious and browsed the internet for this and I found your post here, thanx

Anonymous said...

The source IP address is Bangalore, India.

Anonymous said...

I received two of these emails this morning and am pleased I googled them to check if this was a current scam. Thanks for the confirmation and I just deleted the emails.

Phil

Anonymous said...

They need a geography lesson I live in Ireland stupid scammers

Anonymous said...

For extra protection against these scams and others it would be wise to install Trusteer Rapport. This runs alongside other security programs and prevents key logging, among other things. You can download it from your bank's website.

Michele Findlay said...

When you receive three of these emails your suspicions are raised, and as usual when I'm not sure I check it out on the Internet. Thanks for confirming my suspicions.

Anonymous said...

By a complete coincidence, I had just bought a car when I received the scam DVLA email. I checked it out by pasting some of the text into google and your site came up - thank you!