Wednesday, 21 October 2015

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc

Whitehead, Lyn INVOICE FOR PAYMENT - 7500005791 Invoice 7500005791.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note

It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net and they normally have faked email headers/addresses.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: "Whitehead, Lyn" {Lyn.Whitehead@lancashire.pnn.police.uk}
Subject: INVOICE FOR PAYMENT - 7500005791
 Body:
Hello

Please find attached an invoice that is now due for payment.

Regards

Lyn

Lyn Whitehead (10688)
Business Support Department - Headquarters




Attachment:
Invoice 7500005791.doc
Sha256 Hashes:
194100b10159ad608ae111c69de9add3ff698bfaac3eb098bb5e88d103287440 [1]
8bb24ef0d0ae84455a8ac9f67c430168b9e8aa8ae0722e4a223cc6c8b8a840ad [2]
e96e3d8fe9a8509d638077ad06a147703352a3309be1e0a94438b6ca84328337 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 0/56)
VirusTotal Report: [2] (detection 0/56)
VirusTotal Report: [3] (detection 0/56)

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.BadDoc.Fmt.Shell

Hybrid Analysis Report: [1]
NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android mobiles/tablets can open these attachments and may even manage to run the macro embedded inside the attachment but they will be safe

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

These word/excel attachments try to download either...


... both of which are designed to steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

42 comments:

Anonymous said...

Thanks for this :)

Anonymous said...

Received this email this morning. A few warning signs like no phone number included so have marked as spam, anything else I should do? I have not opened the 'invoice'.

Anonymous said...

Thanks Steve, really useful, keep up the good work.

Stephen Parker said...

Talk about timely. Only just received this!! I wonder how STUPID these scamming morons think people actually are?

Anonymous said...

I also received one today..knew it was spam but thanks for this post very informative.

Anonymous said...

we've had several users in our company reporting that they received this email too this morning

Anonymous said...

Thanks for the info. Also got one of these.

Anonymous said...

Yup I got it too. What would we do without search engines. Thanks for the info.

Anonymous said...

Thanks for posting this info.

Anonymous said...

Received several of these - luckily the document appears to be malformed and did not execute any macros

Scammers may be stupid - but not as stupid as the users who opened it.

SHA1: ffac70a16419d3a3621abc826287848d7ddbc211

Michael McConnell said...

I received one this morning with SHA256 hash f3a586c8eb362d751b8e565f832054ecd20decc46f2a3653fe829e2da8786335 and length 80384.

Anonymous said...

I wonder what Lancashire Police are doing about this virus/phishing scam?

Anonymous said...

I received one this morning, among faked invoices from train suppliers, NATO suppliers, etc.

I forward any of these sort of emails to the police anti phishing account, sometimes the senders computer can be identified from the header information. I've in the past traced such mail to mobile computers in Africa, but I spend so much time tracing scams I have now passed that job onto the authorities instead.

Anonymous said...

Thanks for the information. Sadly these scams do work as they are on a huge scale, even if 1 in 100,000 people open it that is a job well done for the scammer.

Anonymous said...

To Anonymous at 12:12 the Lancashire Police will probably simply be trying to manage the flood of emails and phone calls they'll be getting about the invoice everyone was sent out of the blue! They are innocent bystanders and there's very little they can do otherwise.

Mandy said...

Thanks - just received this email now and thought I would Google it, as I wasn't expecting anything from Lancashire Police!!

Anonymous said...

didnt realise the police were involved in business development LOL !

Anonymous said...

Anonymous Anonymous said...
I wonder what Lancashire Police are doing about this virus/phishing scam?

21 October 2015 at 12:12



^^^ LOl probably they same they do with cannabis farms and drug dealers in the area ABSOLUTELY NOTHING!

Anonymous said...

The Police urge people to report scams such as this. Plenty of advice on Action Fraud website.

Andy HW said...

Mine actually had a read receipt request as well

Anonymous said...

I am glad there are people like you around to help keep our computers safe. Mine had a read receipt request as well, do not send a read receipt. Many thanks.

Anonymous said...

Does the read receipt cause any issues as i had same and put no to sending notification.

aribou mahdi said...

Hi,

Thanks for sharing this information, well, my clients received this mail in the morning; they are using Zimbra as mail server. Please, Can anybody help me how to block this malware in the server ?

Thanks in advance;

Best Regards,

Mahdi

Dan Philip said...

I downloaded the invoice but it could not be opened. I also sent an email back to the sender. Should i be concerned/is my phone at risk and are my detailsalso at risk?

Anonymous said...

Lancashire police have posted about this on their website: http://www.lancashire.police.uk/news/2015/october/email-virus-alert.aspx

Gillyhop said...

thanks for the heads up, will delete it now :-)

Anonymous said...

I've just received the same email so thank you very much for your timely warning. Very useful!

Mark said...

Thanks for sharing. What if I have opened the file? Can I get rid of whatever has been installed?

Mark said...
This comment has been removed by the author.
Anonymous said...

I have just received this email, speading fast & wide. (not opened it)

Anonymous said...

Another one who has received it...thankfully to a Yahoo address that I don't use now. It went into my junk file where I could look into the full headers. Mine came from Neda Gostar Saba Data Transfer Company Private Joint Stock in Tehran, Iran. So it seems its a global thing and anyone can get hit.

Drew James said...

To those asking what Lancashire Police are doing, the answer is there is nothing they can do as it didn't originate from them. They can pass it on nationally to the agency that can get the servers taken down but no way to stop the emails out there already.

opal1234 said...

Normally you can tell it's spam by hovering over the email address and seeing where it has really come from. However this still appears to come from a real pnn email address. Is there something I'm missing? Lancashire police need to know about it because there are many people who will not realise.

G Darling said...

Hi I'm in my 60's and stupidly opened this up on my iPad, but I haven't touched my windows computer as yet, my question, am I still in danger if I put my laptop on??? My emails are in hotmail.

Anonymous said...

Going as far as Poland. Gee, the Lancashire Constabulary sure has spread since yesterday. A big thank you for this and a big doubt about everyone figuring this one out.

sujit said...
This comment has been removed by the author.
sujit said...

Having received the e-mail today, I checked the attachment on VirusTotal and not a single Virus scanner has so far picked it up. Thanks for the timely blog post.

Daisy Mag said...

Received the same attachment... Very informative and helpfull! Many thanks!

Daisy Mag said...

Received the same letter and attachment ... Very informative and helpfull! Many thanks!

Anonymous said...

The strange thing with mine when I checked the full headers, as others have said it shows as coming from the Lancashire Police. But further down, the senders address is virtually the same, apart from the very end of the email address: 'au' had been added. So now the Lancashire Police have an Australian email address!

Sarah Hughes said...

I have just opened this on my phone is it likely to cause issues? Help??

p00kie said...

Hi,

Link to the Malwr analysis.

https://malwr.com/analysis/NjZlOTc3ODEwNDcwNDZjMjgyNzhkZmE5NjIxMzNjYWY/

List of servers sending this email into my company. you can see, it's pretty distributed.


Sender_IP_Address
101.13.18.67
103.247.48.94
106.216.181.155
109.101.73.206
111.94.112.96
113.172.16.49
114.143.203.26
116.105.193.211
116.118.34.201
116.75.195.229
117.194.233.37
118.71.136.241
118.71.177.225
119.148.6.198
119.157.7.97
123.16.193.13
123.201.206.133
123.23.94.248
131.108.167.3
14.139.155.194
14.169.254.231
150.129.67.193
151.45.145.120
164.151.136.226
171.250.104.190
175.100.33.100
182.185.109.80
182.190.193.72
182.64.110.89
185.108.97.19
186.19.15.75
186.33.90.188
187.154.16.165
187.186.188.126
187.189.142.121
187.217.92.83
189.149.41.96
189.177.240.52
189.178.36.180
189.183.188.208
189.202.214.36
189.217.208.13
189.217.74.161
189.250.46.244
190.131.29.189
190.234.254.201
190.252.189.1
190.40.110.10
190.40.53.80
193.243.130.34
196.210.186.207
196.29.190.110
197.148.41.89
197.237.232.89
2.180.130.9
2.50.168.108
2.50.225.120
201.137.110.67
202.166.164.19
202.21.106.154
202.28.64.250
203.81.235.145
213.16.236.240
217.14.84.154
217.217.165.81
220.247.165.20
222.252.32.19
27.3.128.5
27.6.35.9
27.75.165.18
27.77.58.83
39.41.199.209
39.41.44.168
41.228.154.173
41.66.216.132
41.78.72.11
42.60.173.109
43.224.128.29
45.123.41.42
46.41.206.165
49.213.59.123
49.229.34.61
58.187.9.16
59.95.124.211
77.222.1.6
77.237.189.219
78.189.194.116
79.106.109.148
79.106.109.207
81.202.188.189
81.213.175.55
81.214.187.141
84.117.173.44
86.99.3.115
88.250.138.177
91.140.180.164
91.99.109.209
93.40.8.224
95.224.74.220
95.9.172.145