Monday, 15 June 2015

[Nyfast] Payment accepted 101153.doc

[Nyfast] Payment accepted 101153.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:

Subject: [Nyfast] Payment accepted
From: Nyfast {sales@nyfast.com}

Message Body:
Hi ,
Thank you for shopping with Nyfast!
 
Order ZUJIEQGQV - Payment processed
Your payment for order with the reference ZUJIEQGQV was successfully processed.
 
You can review your order and download your invoice from the "Order history" section of your customer account by clicking "My account" on our shop.
If you have a guest account, you can follow your order via the "Guest Tracking" section on our shop.

 Attachment:
101153.doc
Sha256 Hashes:
163298d1e1657833db1c591fba424d9a1e26f894e957b9810f150a0e95991dcd [1]
412a6c4ec8d4adbc9418f9857d13e3513771a731241eb16b46dce8d40311ce41 [2]
4b8a883a69576f6b80e1b304c462ee027b57dfa379f53ab7611d11f743e699cf [3]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/57)
VirusTotal Report: [2] (detection 3/57)
VirusTotal Report: [3] (detection 3/57)

NOTE

The current round of Word/Excel/XML attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

8 comments:

Anonymous said...

Can confirm I have received an email about this having never placed and order, to an email address that doesn't even exist!

Feel sorry for nyfast, who are probably going to find some of their genuine mail blocked.

Kate Tricker said...

I received an email from this company saying thank you for your purchase but as I didn't recognise the company name, nor had I made a purchase I decided to check it out and found this blog....so pleased I checked first!!

Anonymous said...

Same for me !
Never place any order, Word doc attached.

Anonymous said...

Had this e-mail at work today. With a .doc attachment, obviously didn't open it.

Anonymous said...

Received the same e-mail & attachment, did not open it as I knew I hadn't placed any order from Nyfast.

Here are the details:
From sales@nyfast.com Mon Jun 15 10:26:40 2015
Return-Path:
Delivered-To: xxxxxxxxxxxxxxxxxxx
Received: (qmail 28221 invoked from network); 15 Jun 2015 10:26:40 -0000
Received: from unknown
(envelope-sender )
by 0 (qmail-ldap-1.03) with SMTP
for ; 15 Jun 2015 10:26:40 -0000
Received: from macsrvex.macsolution.it ([62.196.76.250])
(Exim 4.67)
(envelope-from )
id 1Z4Rb8-000656-RP
for xxxxxxxxxxxxxxxxxxxxx; Mon, 15 Jun 2015 12:26:40 +0200
To:xxxxxxxxxxxxxxxxxxxx
Subject: [Nyfast] Payment accepted
From: Nyfast
Reply-To: Nyfast
Date: Mon, 15 Jun 2015 12:26:27 +0200
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="_=_swift-628630982556d6943e19592.41082492_=_"
Content-Transfer-Encoding: 7bit
Message-ID: <20150602082851.1442310232.swift@nyfast.com>

Anonymous said...

Received the same e-mail & attachment, did not open it as I knew I hadn't placed any order from Nyfast. From sales@nyfast.com Mon Jun 15 10:26:40 2015


Here are the details:
From sales@nyfast.com Mon Jun 15 10:26:40 2015
Return-Path:
Delivered-To: xxxxxxxxxxxxxxxxxxx
Received: (qmail 28221 invoked from network); 15 Jun 2015 10:26:40 -0000
Received: from unknown
(envelope-sender )
by 0 (qmail-ldap-1.03) with SMTP
for ; 15 Jun 2015 10:26:40 -0000
Received: from macsrvex.macsolution.it ([62.196.76.250])
(Exim 4.67)
(envelope-from )
id 1Z4Rb8-000656-RP
for xxxxxxxxxxxxxxxxxxxxx; Mon, 15 Jun 2015 12:26:40 +0200
To:xxxxxxxxxxxxxxxxxxxx
Subject: [Nyfast] Payment accepted
From: Nyfast
Reply-To: Nyfast
Date: Mon, 15 Jun 2015 12:26:27 +0200
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="_=_swift-628630982556d6943e19592.41082492_=_"
Content-Transfer-Encoding: 7bit
Message-ID: <20150602082851.1442310232.swift@nyfast.com>

Anonymous said...

Same thing. Had this e-mail at work today. With a .doc attachment, obviously didn't open it.

Anonymous said...

Thank you for this !!

Recently ordered stuff from genuine store who've just switched to new payment handling system.

However, I don't use Word(TM) on principle, and OpenOffice is set to block macros. So, when the OO pop-up warned that this needed macros enabled...

Yeah, right.

Will have words with my paranoid Norton's...

Nik