Tuesday, 27 January 2015

Card Receipt AquAid Tracey Smith nj.sales@mcmaster.com

Card Receipt AquAid Tracey Smith nj.sales@mcmaster.com receipt of payment emails are back once again and trying to trick you into opening a word document, containing a malicious macro.

AquAid malware run of a macro infected "Card Receipt" word document has a random attachment,
however these emails aren't from AquAid at all, they just being used to make the email look more
genuine, ie. from a real company.

Odd note: The email From address is "Tracey Smith mcmaster.com
>" where as in the
body of the email is says " tracey.smith@aquaid.co.uk".  mcmaster.com is a totally different
company than
aquaid.co.uk
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Message Headers:
From: "Tracey Smith" {nj.sales@mcmaster.com}
Subject: Card Receipt

Message Body:

 Hi

Please find attached receipt of payment made to us today

Regards

Tracey
Tracey Smith| Branch Administrator
AquAid | Birmingham & Midlands Central
Unit 35 Kelvin Way Trading Estate | West Bromwich | B70 7TP
Telephone:        0121 525 4533
Fax:                  0121 525 3502
Mobile:              07795328895
Email:               tracey.smith@aquaid.co.uk

AquAid really is the only drinks supplier you will ever need with our huge product range. With products ranging from bottled and mains fed coolers ranging up to coffee machines and bespoke individual one off units we truly have the right solution for all environments. We offer a refreshing ethical approach to drinks supply in that we support both Christian Aid and Pump Aid with a donation from all sales.  All this is done while still offering a highly focused local service and competitive pricing. A personalised sponsorship certificate is available for all clients showing how you are helping and we offer £25 for any referral that leads to business.

*********************************************************************
AquAid Franchising Ltd is a company registered in England and Wales with registered number 3505477 and registered office at 51 Newnham Road, Cambridge, CB3 9EY, UK. This message is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee you should not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify the sender and delete the message and any attachments accompanying it immediately. Neither AquAid nor any of its Affiliates accepts liability for any corruption, interception, amendment, tampering or viruses occurring to this message in transit or for any message sent by its employees which is not in compliance with AquAid corporate policy.
Attached filename:

CARD015 151239.doc

Md5 Hashes:
4cfd443716a088ea0cce81eecc444109 [1]
d3b9adf10b504697621ea38f920d68e1 [2]

Macro document information:

VirusTotal Report [1] (hits 0/56 Virus Scanners)

VirusTotal Report [2] (hits 0/56 Virus Scanners)
Sanesecurity signatures are blocking this as: Sanesecurity.Malware.24646.DocHeur

NOTE

The current round of Word and Excel attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))
Cheers,

Steve

No comments: