Monday, 19 October 2015

Your receipt for today's Ocado delivery Ocado customer services receipt.doc

Your receipt for today's Ocado delivery Ocado customer services receipt.doc macro malware.

These emails aren't from these companies at all , they are just being used to make the email look more genuine, ie. from a real company.
Note
It's also worth remembering that the company itself  may not have any knowledge of this email and it's link(s) or attachment as it won't have come from their servers and IT systems but from an external bot net.

It's not advised to ring them as there won't really be anything they can do to help you.

Header:
From: Ocado customer services {customerservices@ocado.com}
Subject: Your receipt for today's Ocado delivery
Message Body:
Hello

Your receipt for today’s delivery is attached to this email. I’ll be delivering your 12:00-14:00 order and, so you’ll know it’s me, I’ll be driving the Lemon van.

Your order doesn’t have any substitutions, everything’s there.

See you later,

Paul



Attachment:
receipt.doc
Sha256 Hashes:
357807e192b591045f47e75eb8bf90ffd836334896975cead383459fabf05cf7 [1]
44805663bb4a9593cef0aa693f363dbd60ccf4ce50fe04ed9ce6e96f1ff57212 [2]
843fa344144221549eb5f11619601a5af465debf701d5ca8c65c0de997f1d3e5 [3]
Malware Virus Scanner Reports:
VirusTotal Report: [1] (detection 3/56)
VirusTotal Report: [2] (detection 3/56)
VirusTotal Report: [3] (detection 3/56)

Sanesecurity sigs (phish.ndb) detected this as:
Sanesecurity.Malware.24819.MacroHeurGen.Hp

Sanesecurity sigs (badmacro.ndb) detected this as:
Sanesecurity.Badmacro.Doc.CreObj

NOTE

The current round of Word/Excel/XML/Docm attachments are targeted at Windows users.

Apple and Android software can open these attachments and may even manage to run the macro embedded inside the attachment.

The auto-download file is normally a windows executable and so will not currently run on  any operating system, apart from Windows.

However, if you are an Apple/Android user and forward the message to a Windows user, you will them put them at risk of opening the attachment and auto-downloading the malware.

Currently these attachments try to auto-download Dridex, which is designed to

steal login information regarding your bank accounts (either by key logging, taking auto-screens hots or copying information from your clipboard (copy/paste))

Cheers,
Steve

34 comments:

Stuart Humphrey said...

Just got this email, I didn't trust it as we've never used the company and the email used is an old one we haven't given out for years. I'm not so sure others will be as fortunate as it does look quite legit.

Anonymous said...

Steve. Thanks for quick post as I have just received one of these. Brian

Anonymous said...

Received this today as well. Have forwarded to ocado@ocado.com if only to make them aware.

Anonymous said...

I have just received the exact same one!

Glad it's a spoof as I was worried someone was going to charge me for it!!

Anonymous said...

Just had this email, thought it was strange as I had not placed any orders so googled it. Turns out my initial thought was correct it's a scam; so delete, delete, delete!

Anonymous said...

If one was foolish enough to click on everything - what would one (I) need to do to clear up the mess?

Thanks!

Anonymous said...

Done the same, forwarded to ocado@ocado.com if only to make them aware, received 5 of these this morning, look very good for phoney emails !!

Anonymous said...

Received 2 exactly the same today and also emailed to ocado@ocado.com but it bounced straight back. As this is the email address they give on their website, it's not very impressive unless their inbox is full of similar emails. Also tried to ring on their 0345 number, but put phone down when message said 15 in front of me.

Anonymous said...

Hi I received this email on an iphone this morning and I opened it. Is there anything I can do to prevent fraud?

Unknown said...

I had this email too, didn't open the file.

Liliane said...

Received just now - looks very genuine.

Anonymous said...

I had this too, didn't open the file.

Anonymous said...

I've received the very same email just now and am not even registered with Ocado.

Anonymous said...

I received this twice within 20 minutes just now. I was slightly suspicious because I have never ordered from Ocado and far more suspicious because I live in Moscow, Russia and even Ocado doesn't come this far - sadly, because I miss some British things!

Anonymous said...

I have been receiving these most of the morning, have reported the virus to Sophos a few hours ago so they should update IDEs and start detecting it within the next hour.

We will be safe very soon, though top marks to the person who made the email, it looks very good.

The originating email server is

smtp.ttml.co.in (49.248.96.66)

Good luck everyone!

Matty Johnson said...

I opened it, it looked so genuine and I am a regular ocado shopper, what can I do?

Anonymous said...

I recieved one just now at 13:00 but the delivery is for 12:00-14:00, are these people stupid or something.
I only do home deliveries with one supermarket and it is not Ocado. I cannot believe how much crap email I get on a daily basis, I'm considering abandoning this outlook account. My last one received more junk mail.

Steve Basford said...

If you've opened the document on a Windows pc is might be worth you running one of
these online scanners...

Trend Micro http://housecall.trendmicro.com/
Sophos - https://www.sophos.com/en-us/products/free-tools/virus-removal-tool.aspx
F-Secure - https://www.f-secure.com/en/web/home_global/online-scanner

progrockrules said...

Likewise - I received this today. We are pretty savvy in our houshould regarding this type of email but I have to say I did give this a second look - it is very convincing! Didn't open the attachment tho - but if I used Ocado on a regular basis it may have been a close thing.

Anonymous said...

reciprocating what most have said on here. because I have never bought anythg from Ocado I knew it'd be a spoof and most email confirmation would have some sort of description in it; the item or evn address you by your name
there would be smthg there. The email was far too generic for me to open.

Sad times

but if it had a sexy female with titties n a phat ass then I may click click.

Anonymous said...

I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.

I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.

Anonymous said...

I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.

I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.

Anonymous said...

I did open the attachment - silly me - and immediately realised my mistake. Did a Norton scan, all clear, did a Malwarebytes scan, all clear. Quarantined the Doc file and sent it to Norton. Now running a Sophos scan. If anyone has any information on exactly what is in this attachment, and what tools detect and remove it, please advise.

I will update all definitions later and scan again - hopefully something will happen to give me confidence that my PC is clean.

Anonymous said...

Update : Sophos says I am clean too.
If it is malware then it must be a very recent variant that nothing is detecting yet.

Anonymous said...

Steve, if I opened the attachment on an iphone would I need to do anything or would IOS prevent this?

Anonymous said...

I have opened this and downloaded it on my windows Nokia phone what will this do? What can I do?

Anonymous said...

clicked on receipt.doc by accident , but shut down PC immediately - didn't seem to interrupt any macros - my question is would this type of malware infect only the PC on which it is opened or other computers on the same local router?

Anonymous said...

I received the email and because we used ocado I clicked on the attachment - shut down the PC immediately and the shut down operation happened quickly with requesting confirmation of stopping any programs - has that stopped the malware becoming active? Also could this type of malware infect other computers on the same router/network?

Paul said...

I got this too, glad I took a poke around the internet before clicking anything in the Email, looking at the comments it seems as though this is a new thing.

Anonymous said...

Same as the last commenter: my mom opened the attachment on an up to date iOS 9 iPhone. She (thankfully) clicked no links. Should we take extra steps, or should she be OK?

Thanks you

Steve said...

We also river this mail and my wife tried to own e attachment twice. We have a Mac. Should we be ok bcue of,this?

Matty Johnson said...

I opened it as I said earlier. I have since run an AVG scan and a Sophos scan, and both came back clean? Do you think I need to keep checking? For those that clicked on the Word doc was there any text? Mine was totaly blank, and I'm wondering if my AVG got to it first?

kurtcat said...

got this twice within seconds of each other, avg said it had secured it but I cant get rid of the emails, says unknown error, any ideas??

Matty Johnson said...

I have also run a malwarebytes threat scan and nothing from that either so am hoping I am now safe!