Wednesday, 10 February 2016

Remittance advice from Sky Group: Account No. 437786 macro malware.

Description:


Remittance advice from Sky Group: Account No. 437786 macro malware.

Headers:


Subject: Remittance advice from Sky Group: Account No. 437786

Message Body:

From: AccountsPayable-Ariba@sky.uk [mailto:AccountsPayable-Ariba@sky.uk]
Sent: 02 February 2016 23:14
To: Accounts Department
Subject: Remittance advice from Sky Group: Account No. 841479

PLEASE DO NOT RESPOND TO THIS EMAIL, THIS MAILBOX IS NOT MONITORED
Please find attached the payment advice from the Sky Group.
Please note that payments can take up to three days to clear into your bank account, dependent on payment method.
Should you need to contact Accounts Payable at SKY, contact details are below. Please note that we operate via a helpdesk system, once you have emailed the team, you will be advised of a unique Service Request (SR) number which will allow you to track updates on your request. Please respond directly to these emails to ensure all the information is attached to your query and we can assist you.
Office Hours are: Mon - Fri 8:30am - 5pm
Accounts Payable:
Email APhelpdesk@sky.uk or alternatively please telephone 0333 100 1212 and select option 4.

Attachment filename(s):


Remittance_CoNo89995_AccNo437786_PaymentNo1588511.DOC

Sha256 Hashes:


08ab1d20c74e1a8cac98b180eb63f122e820af2715ae40e0d6e6f00792c1b4a9 [1]
407274c5c7db94bd6704da5a995cd97921e469d1ecc4b25cb4b046b2329284e9
4c562688b8c6337da38b175a2faacaf666cdb5739c0b05eb04098f1f5c48a153
95aa21816dd1ba87d9f69e2f435af4e4d028edd3c1a78c217d7b03199f5f9e5e
9c6d3f9b0e405b9c6465dd07cd6967e3d4bfb380f13085943b78a87ad827821f
b13090e27168fa4a86f80034c2075762ca8f444fa8ca73cb4459cbaff0ca4fac
bb959c7a9944da696e51205beb020ade25dbd2816b1d2f2d215e58c160c11f80
df79de9eaf3511f054b1991a87c76b975be2e5dbe7c4c0104d943641e118bc6d
e41c48484185a5e0646b0286d6918d36e62493c17d1d83c82ea9904918a55deb
e8fc51fffa90fcf5bee44589a6f07d98cf9f4e1fcbcaa727dc28f3e816dd5f03
feb618a5256533a489921e98ceb3d3c04d987878f0e6b6134a78987ec6c11b41

Malware Virus Scanner Report(s):

VirusTotal Report: [1] (detection 5/55)

Sanesecurity Signature detection:

phish.ndb: Sanesecurity.Malware.25962.XmlHeurGen

Important notes:


Am I Safe?

The current round of Word/Excel/XML/Docm attachments are targeted at Windows and Microsoft Office users.

Apple (Mac/iPhone/iPad), Android and Blackberry mobiles/tablets that open these attachments will be safe.LibreOffice and OpenOffice users should also be safe but do not enable macros if asked to by the attached file.

If you have Macros disabled  in Microsoft Word or Microsoft Excel, you should be safe but again,
do not enable macros if asked to by the attached file.

However, if you are an  (Mac/iPhone/iPad), Android and Blackberry mobiles/tablet user.. and forward the message to a Windows user, you will then put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments normally try to download either...

    Dridex banking trojan,
    Shifu banking trojan

... both of which are designed to steal login information regarding your bank accounts either by
key logging, taking screen shots or copying information directly from your clipboard (copy/paste)


It's also worth remembering that the company itself  may not have any knowledge of this faked email and any link(s) or attachment in the email normally won't have come from their servers or IT systems but from an external bot net.

These bot-net emails normally have faked email headers/addresses.

It's not advised to ring/email the the company themselves, as there won't really be anything they can do to help you or to stop the emails being spread.



Cheers,
Steve

No comments: