Tuesday, 13 October 2015

QuickHostUK Customer Invoice Invoice-302673.doc

QuickHostUK Customer Invoice Invoice-302673.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: QuickHostUK {info@quickhostuk.com}
Subject: Customer Invoice
Message Body:
Dear customer,
This is a notice that an invoice has been generated on 11/10/2015.
Your payment method is: Credit/Debit Card
Invoice #302673
Amount Due: £40.00GBP
Due Date: 18/10/2015
Invoice Items
Fully Managed Hosting - Starter (18/10/2015 - 17/11/2015) £40.00GBP
------------------------------------------------------
Sub Total: £40.00GBP
Credit: £0.00GBP
Total: £40.00GBP
------------------------------------------------------
Payment will be taken automatically on 18/10/2015 from your credit card on record with us. To update or change the credit card details we hold for your account please login at https://connect.quickhostuk.com/viewinvoice.php?id=302673 and click Pay Now then following the instructions on screen.
Kind Regards,

QuickHostUK Limited

Email: info@quickhostuk.com
Web: www.quickhostuk.com
Phone: 0845 576 0523

Copyright © 2015 QuickHostUK Limited - All Rights Reserved.
Registered in England and Wales. No. 08582667 | VAT Reg No: GB 131 1695 38

Follow us on Twitter for news & live updates - https://twitter.com/QuickHostUK

Tell people what you think - https://www.facebook.com/QuickHostUK?sk=reviews



Attachment:
Invoice-302673.doc
Sha256 Hashes:
736f9a27e1ebc87ff60f4164d33b72b01ff47c9b48d3999747a4426a0b17f52d [1]
ac75c38e3ead89ee78011e3624f42b0011ded58949a96116241c73057e483e41 [2]
d1e4171f13653dbfdac8e6bff4111dabbe619a1c5516f94927e6d29edb3300b6 [3]
e11453a59492d91a0925f7e28ca711d3695813beccee7a081898420f9b627774 [4]
e3637867efecf51f085dbff2bca5e4446fad01535b0a7e567475090415ced4c5 [5]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)
VirusTotal Report: [4] (detection 4/56)
VirusTotal Report: [5] (detection 4/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Doc.CreObj

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

44 comments:

Anonymous said...

Seems like their website has been shut down - not an advertisement for hosting company...

Jonathan said...

Thanks Steve, just had one in the inbox despite never dealing with them.

Also their website is showing a range of 500 errors so you can't see who they are.

This post helped me establish I wasn't going mad!

Jonathan

Anonymous said...

Hi Steve,just found your comment, ive just received one of these, obviously did checks and found their website and links dont work, and Companies house records show company dissolved and not trading, this is one of the best scamming phishing emails ive seen, and well done for bringing it to peoples attention confirming this is a scam.

Anonymous said...

Yep, just got this one, was almost convinced since i've just bought new hosting yesterday.. thanks for the update

Anonymous said...

Just recieved the same email.

Anonymous said...

Just recieved the same email

Anonymous said...

Good Spot.
Just got this. Luckily, I'm paranoid (cue Black Sabbath) and Googled first (other searh engines are avaiable). Whic is where I got your helpful page.

Interestingly, the email flew through our email security provider, and our terminal protection anti-virus software.

Thanks mightily

JJ

Anonymous said...

Thank you for your info, I have just had an invoice and can now stop worrying.
TE.

Anonymous said...

Just received one of these on my work email, couldn't find any ref. on the net which I searched straight away, then your post came up - THANK YOU! Microsoft Essentials and AVG both missed it.

Anonymous said...

So pleased I googled this e-mail, had one this lunchtime, promptly deleted. Thanks for bring to our attention!

Richard Watson said...

2 in today to work email address, Sophos didn't pick it up.

Anonymous said...

Just had this email on one of my secure email accounts. Have informed the IT department about it.

Anonymous said...

Glad I come across this man, Im in agreement with the above there, its a pretty good scam mail this, better than alot. Glad I saw this to be honest!

Anonymous said...

Thank you so much, I have just received this same email and it is so convincing! It really helps having people like you out there watching our backs. If only these people would use their intelligence to do something good instead...

Anonymous said...

Same here, looked very convincing ...

Anonymous said...

Clearly a large number of us are recipients! A shame that so few people know about your fantastic public service.

Anonymous said...

Found this site when I checked hostuk email address.Thnx

Anonymous said...

Was tempted to open this attachment. I have several hosting plans and thought maybe a company had changed its name. Their website being down is the give away, otherwise i may well have been duped! Thanks for this post, saved me a bunch of trouble!

Anonymous said...

HELP WHAT DO I DO ??? I HAVE HAD THE SAME EMAIL WHAT DO I DO NOW? THANKS

GeeJay said...

Delete it, just another scamming thief

Anonymous said...

I opened the email on my iPhone, is there a risk?
I saw this post while the attachment was loaded then shut it down and deleted it.. recommendations?

Anonymous said...

Just had one of these too, a quick search I found this page so thankyou.

Alan Moss said...

Received this email this morning. Convincing look. Avoid responding!

Alan

Eddie said...

Another me too. Just arrived on my Mac. Thanks for confirming what I already suspected.

Cathy Rowson said...

Thanks for this Steve, just received one and your blog came right up when I googled. Will delete and ignore.

Kind regards

Cathy

Zig said...

yep, i got this too, just Delete/Block, got almost the same Email last week with a different business address, seems they are doing the rounds.

Zig said...

sorry for Double post, forgot to mention, DO NOT OPEN the .Doc that's in the email, it will more than likely lock up your Computer or put something nasty on it.

Anonymous said...

I just wonder what's about the link that should contain the invoice:
https://connect.quickhostuk.com/viewinvoice.php?id=302673
If instead of opening the attachment I would click the link: Is there really an invoice? If the link does not work or if there is no invoice behind the link then I would immediately know that it is a scam. It would not work. And if there is really an invoice, how did they manage since they are not the owners of the page?

Unknown said...

I just had one 2 and checked it out and deleted it aswell

Anonymous said...

The IP address in the email header takes you to Saudi Arabia Riyadh Jarir Bookstore...?

http://whois.domaintools.com/87.101.248.238

anonymous said...

i just had won the same and done checks and also deleted it

Neil Roberts said...

I always check these on Google etc, being a suspicious sort of guy. Many thanks to the pro's who "outed" yet another potential scam. How many folk fall for it though?

Derek Knight said...

The link to https://connect.quickhostuk.com/viewinvoice.php?id=302673 goes to the standard quickhosts log in page where there is a pop up warning about the scam/spam/botnet sent email

Duncan said...

Thanks for the alert. Looked reasonably genuine at first glance but thanks for confirming it's a scam. Warning: NEVER open an attachment you don't believe in!

ark said...

Thanks,confirms what I thought

Anonymous said...

Opened the document by mistake. What should I do now? Please advice needed.

derekkane said...

Opened the document by mistake. What should I do now? Please advice needed.

derekkane said...

just viewed document online. It was blank. what should I do now. Any advice gratefully received

Balloonatique said...

Thank you very much indeed for posting this, it was indeed very helpful as this was in my inbox today and really does look genuine! As a previous comment it is one of the best I have come across.

Rachel Hawtin said...

Really useful post, thank you. This is the most convincing phishing email I've had yet. Having just moved our website to a new hosting company it nearly had me fooled. I'm really impressed. Glad I googled it and found your excellent site!

Anonymous said...

Just to echo what others have said, thanks for bringing this to light. Just got one today and a quick google brought me here. Cheers.

Anonymous said...

Thanks for confirming this. The non-resolving IP looked suspicious to me, but OTH 'cloud computing' has rather got me used to seeing company names I've never seen before. The company web-site was up when I looked.

At work (where this arrived) we're forced to use Microsoft Outlook. It is *really* tedious to work out how to see the headers. You would think that 'Message Header' buried a few menus down would be it, but nope!! I figured it by trial and error clicking, but after only two days I can't remember how I did it. Great design, Microsoft!

Anonymous said...

I received this e-mail earlier today. I didn't download the file, but pressed the option to check if it was safe. I don't think that the document was opened – the screen was blank – but would like some assurance on whether or not I may have a problem. I don't have Office on my computer and am using a Mac. Do I need to do anything?

StingWest said...

Website is back up and looks legit. Are we saying that the site itself is bogus?