Wednesday, 28 October 2015

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc

DoNotReply@ikea.com Thank you for your order! IKEA receipt 607656390.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: DoNotReply@ikea.com
Subject: Thank you for your order!
Message Body:

Order acknowledgement:


To print, right click and select print or use keys Ctrl and P.
Thank you for ordering with IKEA Shop Online. Your order is now being processed. Please check your order and contact us as soon as possible if any details are incorrect. IKEA Customer Relations, Kingston Park, Fletton, Peterborough, PE2 9ET. Tel: 0203 645 0015
Total cost:
£122.60
Delivery date:
30-10-2015
Delivery method:
Parcelforce
We will confirm your delivery date by text,email or telephone within 72 hrs.
Order/Invoice number:
607656390
Order time:
8:31am GMT
Order/Invoice date:
30-10-2015
 
Legal information
Please note that this email does not mean that we have accepted your order and it does not form a binding contract. A contract will be formed between You and IKEA at the time we dispatch your order to you, with the exception of made to order sofas and worktops where order acceptance occurs at the point when we send you our Delivery Advice email.
Your order is subject to IKEAs Terms of use and Return Policy
 

Attachment:
IKEA receipt 607656390.doc
Sha256 Hashes:
03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8
92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

19 comments:

Maggie1 said...

I have just received one this morning - saw your post so will be deleting pronto

Thanks

Anonymous said...

received one here this morning as well (28/10/15). email looks very realistic

Anonymous said...

Thanks for the good advice Steve. Much appreciated.

Sally said...

I have just received one too - it certainly does look very genuine from Ikea - all the right logos and details. I wondered if my husband had ordered my Christmas present - but it is far too early so very unlikely.

Thanks for the info, I might well have opened the attachments for this.

Anonymous said...

Received the same one, cheers

Anonymous said...

Thanks for such prompt advice keep up the great work

Craig Bryson said...

I have also just received one this morning, thanks for the heads up.

Anonymous said...

I received this email today with attachment. When viewing the message source this appears to be an IKEA internal scam as the source email address is @ikea.com - So I suspect there is a rogue IKEA employee with a grudge. Same like TALKTALK mess. Pity Sweden will not get to receive all the phone calls from anxious public.

The order amount looks very similar to a recent collected order so I checked for spelling mistakes and authenticity of customer service number. This is a brillant spoof !

Anonymous said...

If I don't download anything can they still get into my account from just looking at email?

Billy Penn said...

I have just received one too. Thx for the heads up

Anonymous said...

Do I need to have clicked on something to be scammed or just by opening it?

Itsme said...

Received this email this morning too, as did my wife. It's very realistic. Thanks for the advice

Amberhawk said...

Chris P

Ditto got one now - thanks for the alert

Unknown said...

Thanks for heads up got 1 this am

Anonymous said...

I received one and opened the attachment like an idiot on a work laptop. IT seem to think I'm protected, but changed all my banking passwords in case!

Lynn Issitt said...

Hi,
I opened the attachment, so am I at risk now?

Anonymous said...

Good morning,

Received one forwarded from a society website where I have an email address as an officer of the society. I wouldn't dare order anything on the society without authorisation! ;-)

Ratchapon Nunthaporm said...

I also received this ones. Thanks for your advice.

Gavin W said...

Received one of these yesterday, and your post confirmed my suspicions about the file attachment. Many thanks for this - very useful.