Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.
It's not advised to ring them as there won't really be anything they can do to help you.
|
Header:
From: "Whitehead, Lyn" {Lyn.Whitehead@lancashire.pnn.police.uk}
Subject: INVOICE FOR PAYMENT - 7500005791 |
Body:
Hello
Please find attached an invoice that is now due for
payment.
Regards
Lyn
Lyn Whitehead (10688)
Business Support Department - Headquarters
|
|
|
|
Attachment:
Invoice 7500005791.doc
Sha256 Hashes:
194100b10159ad608ae111c69de9add3ff698bfaac3eb098bb5e88d103287440 [1]
8bb24ef0d0ae84455a8ac9f67c430168b9e8aa8ae0722e4a223cc6c8b8a840ad [2]
e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337 [3] |
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 0/56)
VirusTotal Report: [2] (detection 0/56)
VirusTotal Report: [3] (detection 0/56)
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell
Hybrid Analysis Report: [1] |
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
These word/excel attachments try to download either...
... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste)) |
Cheers,
Steve
42 comments:
Thanks for this :)
Received this email this morning. A few warning signs like no phone number included so have marked as spam, anything else I should do? I have not opened the 'invoice'.
Thanks Steve, really useful, keep up the good work.
Talk about timely. Only just received this!! I wonder how STUPID these scamming morons think people actually are?
I also received one today..knew it was spam but thanks for this post very informative.
we've had several users in our company reporting that they received this email too this morning
Thanks for the info. Also got one of these.
Yup I got it too. What would we do without search engines. Thanks for the info.
Thanks for posting this info.
Received several of these - luckily the document appears to be malformed and did not execute any macros
Scammers may be stupid - but not as stupid as the users who opened it.
SHA1: ffac70a16419d3a3621abc826287848d7ddbc211
I received one this morning with SHA256 hash f3a586c8eb362d751b8e565f832054ecd20decc46f2a3653fe829e2da8786335 and length 80384.
I wonder what Lancashire Police are doing about this virus/phishing scam?
I received one this morning, among faked invoices from train suppliers, NATO suppliers, etc.
I forward any of these sort of emails to the police anti phishing account, sometimes the senders computer can be identified from the header information. I've in the past traced such mail to mobile computers in Africa, but I spend so much time tracing scams I have now passed that job onto the authorities instead.
Thanks for the information. Sadly these scams do work as they are on a huge scale, even if 1 in 100,000 people open it that is a job well done for the scammer.
To Anonymous at 12:12 the Lancashire Police will probably simply be trying to manage the flood of emails and phone calls they'll be getting about the invoice everyone was sent out of the blue! They are innocent bystanders and there's very little they can do otherwise.
Thanks - just received this email now and thought I would Google it, as I wasn't expecting anything from Lancashire Police!!
didnt realise the police were involved in business development LOL !
Anonymous Anonymous said...
I wonder what Lancashire Police are doing about this virus/phishing scam?
21 October 2015 at 12:12
^^^ LOl probably they same they do with cannabis farms and drug dealers in the area ABSOLUTELY NOTHING!
The Police urge people to report scams such as this. Plenty of advice on Action Fraud website.
Mine actually had a read receipt request as well
I am glad there are people like you around to help keep our computers safe. Mine had a read receipt request as well, do not send a read receipt. Many thanks.
Does the read receipt cause any issues as i had same and put no to sending notification.
Hi,
Thanks for sharing this information, well, my clients received this mail in the morning; they are using Zimbra as mail server. Please, Can anybody help me how to block this malware in the server ?
Thanks in advance;
Best Regards,
Mahdi
I downloaded the invoice but it could not be opened. I also sent an email back to the sender. Should i be concerned/is my phone at risk and are my detailsalso at risk?
Lancashire police have posted about this on their website: http://www.lancashire.police.uk/news/2015/october/email-virus-alert.aspx
thanks for the heads up, will delete it now :-)
I've just received the same email so thank you very much for your timely warning. Very useful!
Thanks for sharing. What if I have opened the file? Can I get rid of whatever has been installed?
I have just received this email, speading fast & wide. (not opened it)
Another one who has received it...thankfully to a Yahoo address that I don't use now. It went into my junk file where I could look into the full headers. Mine came from Neda Gostar Saba Data Transfer Company Private Joint Stock in Tehran, Iran. So it seems its a global thing and anyone can get hit.
To those asking what Lancashire Police are doing, the answer is there is nothing they can do as it didn't originate from them. They can pass it on nationally to the agency that can get the servers taken down but no way to stop the emails out there already.
Normally you can tell it's spam by hovering over the email address and seeing where it has really come from. However this still appears to come from a real pnn email address. Is there something I'm missing? Lancashire police need to know about it because there are many people who will not realise.
Hi I'm in my 60's and stupidly opened this up on my iPad, but I haven't touched my windows computer as yet, my question, am I still in danger if I put my laptop on??? My emails are in hotmail.
Going as far as Poland. Gee, the Lancashire Constabulary sure has spread since yesterday. A big thank you for this and a big doubt about everyone figuring this one out.
Having received the e-mail today, I checked the attachment on VirusTotal and not a single Virus scanner has so far picked it up. Thanks for the timely blog post.
Received the same attachment... Very informative and helpfull! Many thanks!
Received the same letter and attachment ... Very informative and helpfull! Many thanks!
The strange thing with mine when I checked the full headers, as others have said it shows as coming from the Lancashire Police. But further down, the senders address is virtually the same, apart from the very end of the email address: 'au' had been added. So now the Lancashire Police have an Australian email address!
I have just opened this on my phone is it likely to cause issues? Help??
Hi,
Link to the Malwr analysis.
https://malwr.com/analysis/NjZlOTc3ODEwNDcwNDZjMjgyNzhkZmE5NjIxMzNjYWY/
List of servers sending this email into my company. you can see, it's pretty distributed.
Sender_IP_Address
101.13.18.67
103.247.48.94
106.216.181.155
109.101.73.206
111.94.112.96
113.172.16.49
114.143.203.26
116.105.193.211
116.118.34.201
116.75.195.229
117.194.233.37
118.71.136.241
118.71.177.225
119.148.6.198
119.157.7.97
123.16.193.13
123.201.206.133
123.23.94.248
131.108.167.3
14.139.155.194
14.169.254.231
150.129.67.193
151.45.145.120
164.151.136.226
171.250.104.190
175.100.33.100
182.185.109.80
182.190.193.72
182.64.110.89
185.108.97.19
186.19.15.75
186.33.90.188
187.154.16.165
187.186.188.126
187.189.142.121
187.217.92.83
189.149.41.96
189.177.240.52
189.178.36.180
189.183.188.208
189.202.214.36
189.217.208.13
189.217.74.161
189.250.46.244
190.131.29.189
190.234.254.201
190.252.189.1
190.40.110.10
190.40.53.80
193.243.130.34
196.210.186.207
196.29.190.110
197.148.41.89
197.237.232.89
2.180.130.9
2.50.168.108
2.50.225.120
201.137.110.67
202.166.164.19
202.21.106.154
202.28.64.250
203.81.235.145
213.16.236.240
217.14.84.154
217.217.165.81
220.247.165.20
222.252.32.19
27.3.128.5
27.6.35.9
27.75.165.18
27.77.58.83
39.41.199.209
39.41.44.168
41.228.154.173
41.66.216.132
41.78.72.11
42.60.173.109
43.224.128.29
45.123.41.42
46.41.206.165
49.213.59.123
49.229.34.61
58.187.9.16
59.95.124.211
77.222.1.6
77.237.189.219
78.189.194.116
79.106.109.148
79.106.109.207
81.202.188.189
81.213.175.55
81.214.187.141
84.117.173.44
86.99.3.115
88.250.138.177
91.140.180.164
91.99.109.209
93.40.8.224
95.224.74.220
95.9.172.145
Post a Comment