Your receipt for today's Ocado delivery Ocado customer services receipt.doc macro malware.
These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
NoteHeader:
It's also worth remembering that the company itself may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.
It's not advised to ring them as there won't really be anything they can do to help you.
Message Body:
From: Ocado customer services {customerservices@ocado.com}
Subject: Your receipt for today's Ocado delivery
Attachment:
Hello
Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.
Your order doesn’t have any substitutions, everything’s there.
See you later,
Paul
receipt.docSha256 Hashes:
Malware Virus Scanner Reports:
357807e192b591045f47e75eb8bf90ffd836334896975cead383459fabf05cf7 [1]
44805663bb4a9593cef0aa693f363dbd60ccf4ce50fe04ed9ce6e96f1ff57212 [2]
843fa344144221549eb5f11619601a5af465debf701d5ca8c65c0de997f1d3e5 [3]
VirusTotal Report: [1] (detection 3/56)
VirusTotal Report: [2] (detection 3/56)
VirusTotal Report: [3] (detection 3/56)
Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp
Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Doc.CreObj
NOTE
The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.
Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.
The auto-download file is normally a windows executable and so will not currently run on any operating system, apart from Windows.
However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.
Currently these attachments try to auto-download Dridex, which is designed to
steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,
Steve
34 comments:
Just got this email, I didn't trust it as we've never used the company and the email used is an old one we haven't given out for years. I'm not so sure others will be as fortunate as it does look quite legit.
Steve. Thanks for quick post as I have just received one of these. Brian
Received this today as well. Have forwarded to ocado@ocado.com if only to make them aware.
I have just received the exact same one!
Glad it's a spoof as I was worried someone was going to charge me for it!!
Just had this email, thought it was strange as I had not placed any orders so googled it. Turns out my initial thought was correct it's a scam; so delete, delete, delete!
If one was foolish enough to click on everything - what would one (I) need to do to clear up the mess?
Thanks!
Done the same, forwarded to ocado@ocado.com if only to make them aware, received 5 of these this morning, look very good for phoney emails !!
Received 2 exactly the same today and also emailed to ocado@ocado.com but it bounced straight back. As this is the email address they give on their website, it's not very impressive unless their inbox is full of similar emails. Also tried to ring on their 0345 number, but put phone down when message said 15 in front of me.
Hi I received this email on an iphone this morning and I opened it. Is there anything I can do to prevent fraud?
I had this email too, didn't open the file.
Received just now - looks very genuine.
I had this too, didn't open the file.
I've received the very same email just now and am not even registered with Ocado.
I received this twice within 20 minutes just now. I was slightly suspicious because I have never ordered from Ocado and far more suspicious because I live in Moscow, Russia and even Ocado doesn't come this far - sadly, because I miss some British things!
I have been receiving these most of the morning, have reported the virus to Sophos a few hours ago so they should update IDEs and start detecting it within the next hour.
We will be safe very soon, though top marks to the person who made the email, it looks very good.
The originating email server is
smtp.ttml.co.in (49.248.96.66)
Good luck everyone!
I opened it, it looked so genuine and I am a regular ocado shopper, what can I do?
I recieved one just now at 13:00 but the delivery is for 12:00-14:00, are these people stupid or something.
I only do home deliveries with one supermarket and it is not Ocado. I cannot believe how much crap email I get on a daily basis, I'm considering abandoning this outlook account. My last one received more junk mail.
If you've opened the document on a Windows pc is might be worth you running one of
these online scanners...
Trend Micro http://housecall.trendmicro.com/
Sophos - https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
F-Secure - https://www.f-secure.com/en/web/home_global/online-scanner
Likewise - I received this today. We are pretty savvy in our houshould regarding this type of email but I have to say I did give this a second look - it is very convincing! Didn't open the attachment tho - but if I used Ocado on a regular basis it may have been a close thing.
reciprocating what most have said on here. because I have never bought anythg from Ocado I knew it'd be a spoof and most email confirmation would have some sort of description in it; the item or evn address you by your name
there would be smthg there. The email was far too generic for me to open.
Sad times
but if it had a sexy female with titties n a phat ass then I may click click.
I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.
I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.
I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.
I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.
I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.
I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.
Update : Sophos says I am clean too.
If it is malware then it must be a very recent variant that nothing is detecting yet.
Steve, if I opened the attachment on an iphone would I need to do anything or would IOS prevent this?
I have opened this and downloaded it on my windows Nokia phone what will this do? What can I do?
clicked on receipt.doc by accident , but shut down PC immediately - didn't seem to interrupt any macros - my question is would this type of malware infect only the PC on which it is opened or other computers on the same local router?
I received the email and because we used ocado I clicked on the attachment - shut down the PC immediately and the shut down operation happened quickly with requesting confirmation of stopping any programs - has that stopped the malware becoming active? Also could this type of malware infect other computers on the same router/network?
I got this too, glad I took a poke around the internet before clicking anything in the Email, looking at the comments it seems as though this is a new thing.
Same as the last commenter: my mom opened the attachment on an up to date iOS 9 iPhone. She (thankfully) clicked no links. Should we take extra steps, or should she be OK?
Thanks you
We also river this mail and my wife tried to own e attachment twice. We have a Mac. Should we be ok bcue of,this?
I opened it as I said earlier. I have since run an AVG scan and a Sophos scan, and both came back clean? Do you think I need to keep checking? For those that clicked on the Word doc was there any text? Mine was totaly blank, and I'm wondering if my AVG got to it first?
got this twice within seconds of each other, avg said it had secured it but I cant get rid of the emails, says unknown error, any ideas??
I have also run a malwarebytes threat scan and nothing from that either so am hoping I am now safe!
Post a Comment