QuickHostUK Customer Invoice Invoice-302673.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.
It's not advised to ring them as there won't really be anything they can do to help you.
|
Header:
From: QuickHostUK {info@quickhostuk.com} Subject: Customer Invoice |
Message Body:
Dear customer,
This is a notice that an invoice has been generated on 11/10/2015.
Your payment method is: Credit/Debit Card
Invoice #302673 Amount Due: £40.00GBP Due Date: 18/10/2015
Invoice Items
Fully Managed Hosting - Starter (18/10/2015 - 17/11/2015)
£40.00GBP ------------------------------------------------------ Sub
Total: £40.00GBP Credit: £0.00GBP Total: £40.00GBP
------------------------------------------------------
Payment will be taken automatically on 18/10/2015 from your credit card on
record with us. To update or change the credit card details we hold for your
account please login at https://connect.quickhostuk.com/viewinvoice.php?id=302673
and click Pay Now then following the instructions on screen.
Kind Regards,
QuickHostUK Limited
Email: info@quickhostuk.com
Web: www.quickhostuk.com Phone: 0845 576 0523
Copyright © 2015
QuickHostUK Limited - All Rights Reserved. Registered in England and Wales.
No. 08582667 | VAT Reg No: GB 131 1695 38
Follow us on Twitter for news
& live updates - https://twitter.com/QuickHostUK
Tell people what you
think - https://www.facebook.com/QuickHostUK?sk=reviews |
|
|
|
Attachment:
Invoice-302673.doc
Sha256 Hashes:
736f9a27e1ebc87ff60f4164d33b72b01ff47c9b48d3999747a4426a0b17f52d [1] ac75c38e3ead89ee78011e3624f42b0011ded58949a96116241c73057e483e41 [2] d1e4171f13653dbfdac8e6bff4111dabbe619a1c5516f94927e6d29edb3300b6 [3] e11453a59492d91a0925f7e28ca711d3695813beccee7a081898420f9b627774 [4] e3637867efecf51f085dbff2bca5e4446fad01535b0a7e567475090415ced4c5 [5] |
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 4/56)
VirusTotal Report: [2] (detection 4/56)
VirusTotal Report: [3] (detection 4/56)
VirusTotal Report: [4] (detection 4/56)
VirusTotal Report: [5] (detection 4/56)
Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Doc.CreObj |
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
Currently these attachments try to auto-download Dridex, which is designed to
steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste)) |
Cheers,
Steve
44 comments:
Seems like their website has been shut down - not an advertisement for hosting company...
Thanks Steve, just had one in the inbox despite never dealing with them.
Also their website is showing a range of 500 errors so you can't see who they are.
This post helped me establish I wasn't going mad!
Jonathan
Hi Steve,just found your comment, ive just received one of these, obviously did checks and found their website and links dont work, and Companies house records show company dissolved and not trading, this is one of the best scamming phishing emails ive seen, and well done for bringing it to peoples attention confirming this is a scam.
Yep, just got this one, was almost convinced since i've just bought new hosting yesterday.. thanks for the update
Just recieved the same email.
Just recieved the same email
Good Spot.
Just got this. Luckily, I'm paranoid (cue Black Sabbath) and Googled first (other searh engines are avaiable). Whic is where I got your helpful page.
Interestingly, the email flew through our email security provider, and our terminal protection anti-virus software.
Thanks mightily
JJ
Thank you for your info, I have just had an invoice and can now stop worrying.
TE.
Just received one of these on my work email, couldn't find any ref. on the net which I searched straight away, then your post came up - THANK YOU! Microsoft Essentials and AVG both missed it.
So pleased I googled this e-mail, had one this lunchtime, promptly deleted. Thanks for bring to our attention!
2 in today to work email address, Sophos didn't pick it up.
Just had this email on one of my secure email accounts. Have informed the IT department about it.
Glad I come across this man, Im in agreement with the above there, its a pretty good scam mail this, better than alot. Glad I saw this to be honest!
Thank you so much, I have just received this same email and it is so convincing! It really helps having people like you out there watching our backs. If only these people would use their intelligence to do something good instead...
Same here, looked very convincing ...
Clearly a large number of us are recipients! A shame that so few people know about your fantastic public service.
Found this site when I checked hostuk email address.Thnx
Was tempted to open this attachment. I have several hosting plans and thought maybe a company had changed its name. Their website being down is the give away, otherwise i may well have been duped! Thanks for this post, saved me a bunch of trouble!
HELP WHAT DO I DO ??? I HAVE HAD THE SAME EMAIL WHAT DO I DO NOW? THANKS
Delete it, just another scamming thief
I opened the email on my iPhone, is there a risk?
I saw this post while the attachment was loaded then shut it down and deleted it.. recommendations?
Just had one of these too, a quick search I found this page so thankyou.
Received this email this morning. Convincing look. Avoid responding!
Alan
Another me too. Just arrived on my Mac. Thanks for confirming what I already suspected.
Thanks for this Steve, just received one and your blog came right up when I googled. Will delete and ignore.
Kind regards
Cathy
yep, i got this too, just Delete/Block, got almost the same Email last week with a different business address, seems they are doing the rounds.
sorry for Double post, forgot to mention, DO NOT OPEN the .Doc that's in the email, it will more than likely lock up your Computer or put something nasty on it.
I just wonder what's about the link that should contain the invoice:
https://connect.quickhostuk.com/viewinvoice.php?id=302673
If instead of opening the attachment I would click the link: Is there really an invoice? If the link does not work or if there is no invoice behind the link then I would immediately know that it is a scam. It would not work. And if there is really an invoice, how did they manage since they are not the owners of the page?
I just had one 2 and checked it out and deleted it aswell
The IP address in the email header takes you to Saudi Arabia Riyadh Jarir Bookstore...?
http://whois.domaintools.com/87.101.248.238
i just had won the same and done checks and also deleted it
I always check these on Google etc, being a suspicious sort of guy. Many thanks to the pro's who "outed" yet another potential scam. How many folk fall for it though?
The link to https://connect.quickhostuk.com/viewinvoice.php?id=302673 goes to the standard quickhosts log in page where there is a pop up warning about the scam/spam/botnet sent email
Thanks for the alert. Looked reasonably genuine at first glance but thanks for confirming it's a scam. Warning: NEVER open an attachment you don't believe in!
Thanks,confirms what I thought
Opened the document by mistake. What should I do now? Please advice needed.
Opened the document by mistake. What should I do now? Please advice needed.
just viewed document online. It was blank. what should I do now. Any advice gratefully received
Thank you very much indeed for posting this, it was indeed very helpful as this was in my inbox today and really does look genuine! As a previous comment it is one of the best I have come across.
Really useful post, thank you. This is the most convincing phishing email I've had yet. Having just moved our website to a new hosting company it nearly had me fooled. I'm really impressed. Glad I googled it and found your excellent site!
Just to echo what others have said, thanks for bringing this to light. Just got one today and a quick google brought me here. Cheers.
Thanks for confirming this. The non-resolving IP looked suspicious to me, but OTH 'cloud computing' has rather got me used to seeing company names I've never seen before. The company web-site was up when I looked.
At work (where this arrived) we're forced to use Microsoft Outlook. It is *really* tedious to work out how to see the headers. You would think that 'Message Header' buried a few menus down would be it, but nope!! I figured it by trial and error clicking, but after only two days I can't remember how I did it. Great design, Microsoft!
I received this e-mail earlier today. I didn't download the file, but pressed the option to check if it was safe. I don't think that the document was opened – the screen was blank – but would like some assurance on whether or not I may have a problem. I don't have Office on my computer and am using a Mac. Do I need to do anything?
Website is back up and looks legit. Are we saying that the site itself is bogus?
Post a Comment