Monday, 10 August 2015

Your order 10232 from Create Blinds Online: Paid invoice-10232.doc

Your order 10232 from Create Blinds Online: Paid invoice-10232.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: orders@createblindsonline.co.uk
Subject: Your order 10232 from Create Blinds Online: Paid
Message Body:
We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:

Kind regards
Create Blinds Online Team

Attachment:
invoice-10232.doc
Sha256 Hashes:
cf24a2f8d08584f6ea2fbfcaa2f43caf5d77365aef977a678201cf1c4c037d31 [1]
0d917831636f69503b6f0a96e27958c1727303042c7832e36c8516292e5f1165 [2]
aa5d2ced624a76faf7381ba0e69e7346752c32426e9eba89b7ac0a79812d9b28 [3]
9713d769565afab2b1466819aca81f7bcfefb10b978e92fe66d2146e253cc04e [4]
2eac3af6e6d37a946a4b3f1ed99757f871f75fa38dc6527f7d5c2a76ee63f3ad [5]

Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 5/56)
VirusTotal Report: [2] (detection 5/56)
VirusTotal Report: [3] (detection 5/56)
VirusTotal Report: [4] (detection 5/56)
VirusTotal Report: [5] (detection 5/56)

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

8 comments:

Anonymous said...

I had one today and have been buying curtain materials this weekend so almost opened the word attachment but did this websearch first. Mine of 10.7.15 says:
We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232

Invoice Number: 10232

Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:


Kind regards

Create Blinds Online Team



This electronic message contains information from Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.

Anonymous said...

I too have received one of these today with the same wording. I'm always a bit wary and never open the attachments and decided to do a Google search first. I tend to delete any that say thank you for your recent order without touching the attachment as I'm 99% sure they are virus related.

Anonymous said...

I have received one today. I tried to open but it would not open thank goodness now that I have read this. When will these scumbags be stopped trying to ruin genuine people's lives?

Roy Gough said...

Got this today and wont be opening the attachment (invoice-10232.doc)



We would like to thank you for your recent order.

Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232

Invoice Number: 10232

Delivery Note:

We received your order and payment on Aug/102015

Your order details are attached:

Kind regards

Create Blinds Online Team

Jay said...

I opened the doc on my phone. Will I have been hacked?

Anonymous said...

Received one of these today and gratefull for your post.
Believe it or not we are a window blind showroom so almost opened the attachment!!
Had a doubt, so googled it and your post came up, thank you.

Teresa said...

Hi this is Teresa from createblindsonline.co.uk

We are aware that someone is using our identity and is sending out thousands of emails with an attached order confirmation. Please do not open this attachment. If you have, or tried to open the attachment on a pc we advise you to run a virus scan.

Our website www.createblindsonline.co.uk is secure and has not been hacked and we have not taken any money or orders from anybody who has not placed an order with us.

We have had hundreds of phone calls and thousands of emails which we are trying to deal with as best as we can, but we are struggling.
Sorry for the inconvenience this has caused anyone.

Anonymous said...

My husband just received the same message on his windows work computer. He tried to open it and it wasn't able to.
Don't these hackers have anything better to do with their time!