Threat Outbreak Alert: Fake Anti-Phishing Email Messages on March 9, 2015

2012-07-30T22:05:02
ID CISCO-THREAT-26510
Type ciscothreats
Reporter Cisco
Modified 2015-03-10T11:01:02

Description

Low

Alert ID:

26510

First Published:

2012 July 30 22:05 GMT

Last Updated:

2015 March 10 11:01 GMT

Version:

32

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to be from the antiphishing.org support team. The message claims the recipient's system has been compromised and has sent a large number of spam messages. The text in the email message attempts to persuade recipients to open the attachment for instructions on how to keep their computers safe. However, the attachment contains a malicious file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID858KVR, RuleID858KVR_1, and RuleID0858KVR) may contain the following files:

> DOCUMENT.CMD
Insured Information.zip
Insured Information.exe
goods-info.zip
goods-info.exe
HP_Document.zip
Hewlett-Packard_Document_N8388293.exe
Amazon_Report.zip
Amazon_N8823745892.exe
AA_Ticket_Print_Document.zip
AA_Ticket_Print_Document.exe
Hewlett_Packard_Document_I882743.exe
Transfer docs.zip
Document.exe
T T.zip
CompanyInfo.zip
CompanyInfo.exe
Xerox_Document.zip
Xerox_Document_LANN893927-ZIP-doc.exe
paymentdetails.scr
information.scr
Bank Details.zip
Bank Details.exe
Details.zip
PO5643.exe
PaymentDetails.zip
PaymentDetails.exe
Document.zip
Bank Details.scr
policy info.zip
policy info.exe
report.zip
report.exe
File.zip
File.exe
Qw3432info.TransactionsReport.zip
Qw3432info.TransactionsReport.exe
Inward Payment_HSBC.zip
information.zip
information_wichtig_2014_information_wichtig_2014_information_wichtig_2014_information_wichtig_2014_3274823659.exe

INFO.zip
INFO.scr
report.zip
report.exe
doc.zip
doc.exe
TasReturnReport.zip
TasReturnReport.exe
nformation.zip
information.exe

The DOCUMENT.CMD file has a unknown file size and MD5 is not available.

The Insured Information.exe file in the Insured Information.zip attachment has a file size of 2,570,116 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x68E3EDDD02EFE4ED79BD1570680508D2

The goods-info.exe file in the goods-info.zip attachment has a file size of 600,847 bytes. The MD5 checksum is the following string: 0x2BD19820D8C85B631EDC17039C689A64

The Hewlett-Packard_Document_N8388293.exe file in the HP_Document.zip attachment has a file size of 88,576 bytes. The MD5 checksum is the following string: 0xE09F719B6DDE74972A810979812FDC01

The Amazon_N8823745892.exe file in the Amazon_Report.zip attachment has a file size of 96,768 bytes. The MD5 checksum is the following string: 0x7515448FA3AA1EE585311B80DAB7CA87

The AA_Ticket_Print_Document.exe file in the AA_Ticket_Print_Document.zip attachment has a file size of 60,416 bytes. The MD5 checksum is the following string: 0xD7678B02D63408542F644FC41FF2BBFB

The Hewlett_Packard_Document_I882743.exe file in the HP_Document.zip attachment has a file size of 86,016 bytes. The MD5 checksum is the following string: 0x56A35FA27F04131F86F0CD44BD8480C3

The Document.exe file in the Transfer docs.zip attachment has a file size of 36,66,612 bytes. The MD5 checksum is the following string: 0x4FFA25477DF8D872629A000892508D57

A variant of the Document.exe file in the T T.zip attachment has a file size of 3,666,656 bytes. The MD5 checksum is the following string: 0x6BC1DEDCE16BBAF564D485EDFAB430CC

The CompanyInfo.exe file in the CompanyInfo.zip attachment has a file size of 113,152 bytes. The MD5 checksum is the following string: 0x008CB033B7E4B1485EE773991CB1F039

The Xerox_Document_LANN893927-ZIP-doc.exe file in the Xerox_Document.zip attachment has a file size of 114,688 bytes. The MD5 checksum is the following string: 0x9017679C167D147B7A5E178C164BCC6E

The paymentdetails.scr file has a file size of 585,780 bytes. The MD5 checksum is the following string: 0x62AF772EFE2BCB69790FCD37B4BFCEE7

The information.scr attachment has a file size of 348,672 bytes. The MD5 checksum is the following string: 0xFB9D7728614BBC96717EE713CF32FC5C

The Bank Details.exe file in the Bank Details.zip attachment has a file size of 230,805 bytes. The MD5 checksum is the following string: 0xA642EAAEB04145B4BCAAD6092EF7D971

The PO5643.exe file in the Details.zip attachment has a file size of 757,248 bytes. The MD5 checksum is the following string: 0x81B1D1B59325577F9E0CA8B45E7DB285

The PaymentDetails.exe file in the PaymentDetails.zip attachment has a file size of 835,584 bytes. The MD5 checksum is the following string: 0xF474AD35AE9559DF1AB756468812FA6A

A third variant of the Document.exe file in the Document.zip attachment has a file size of 4,243,926 bytes. The MD5 checksum is the following string: 0x467E51F39A0FE61F3AD414B470A7FCBE

The Bank Details.scr file in the Bank Details.zip attachment has a file size of 327,680 bytes. The MD5 checksum is the following string: 0x481DC7383DD0E2BE1218217BFA6F4D8E

The policy info.exe file in the policy info.zip attachment has a file size of 2,874,368 bytes. The MD5 checksum is the following string: 0x91502C7291605417C99326E4296ECC98

The report.exe _file in the _report.zip attachment has a file size of 20,992 bytes. The MD5 checksum is the following string: 0xBAB5DC43FFDE9AB5561BEA03B281B073

The File.exe file in the File.zip attachment has a file size of 309,968 bytes. The MD5 checksum is the following string: 0x4685D90F47D8296C8A464947123DBC3A

The Qw3432info.TransactionsReport.exe file in the Qw3432info.TransactionsReport.zip attachment has a file size of 102,400 bytes. The MD5 checksum is the following string: 0x2083196BE00D96F3FFA8E3ECFDC31434

A fourth variant of the Document.exe file in the Document.zip attachment has a file size of 314,056 bytes. The MD5 checksum is the following string: 0x06922CC2A1A042F7AF52F24B9CC3DBC3

A variant of the report.exe file in the_ report.zip _attachment has a file size of 17,920 bytes. The MD5 checksum is the following string: 0x89F45F68A0568996A6A109A1D04B6670

A third variant of the report.exe file in the report.zip attachment has a file size of 110,592 bytes. The MD5 checksum is the following string: 0x8308717F2242F34D43D7F6DAA680BB5E

A fourth variant of the_ report.exe_ file in the report.zip attachment has a file size of 110,592 bytes. The MD5 checksum is the following string: 0x3B292522FD8E51EDA5BCA943DB90A4C6

A fifth variant of the_ report.exe_ file in the_ report.zip_ attachment has a file size of 139,264 bytes. The MD5 checksum is the following string: 0xF1596DFE2AE025432D19CAF6B8E19CB2

A fifth variant of the Document.exe file in the Inward Payment_HSBC.zip attachment has a file size of 682,058 bytes. The MD5 checksum is the following string: 0x1B644AF7E13A108FF8C4B9E33A7D8A60

A sixth variant of the Document.exe file in the Document.zip attachment has a file size of 1,482,752 bytes. The MD5 checksum, is the following string: 0xD291ECFB9F6930A9EABD71A99E0E6DAD

A seventh variant of the Document.exe _file in the _Document.zip attachment has a file size of 3,083,497 bytes. The MD5 checksum is the following string: 0xCC266849CC2DA0291B79F2498E688374

The report.exe file in the information_wichtig_2014_information_wichtig_2014_information_wichtig_2014_information_wichtig_2014_3274823659.exe attachment has a file size of 377,856 bytes. The MD5 checksum is the following string: 0x97EB5A6D77A87EC4985A9689DB51BFDB

The INFO.zip file in the INFO.scr attachment has a file size of 320,000 bytes. The MD5 checksum is the following string: 0x58E3DD640785871BE87DBEEB982D4B7A

The_ report.exe_ file in the _report.zip _attachment has a file size of 95,744 bytes. The MD5 checksum is the following string: 0xD75817FCCF741C5D6668421E557A8387

The doc.exe file in the _doc.zip _attachment has a file size of 298,316 bytes. The MD5 checksum is the following string: 0x98834AA15EDB537F9092B6ADD856333B

The TasReturnReport.exe file in the TasReturnReport.zip attachment has a file size of 456,704 bytes. The MD5 checksum is the following string: 0xACAAF01EAF3E518DBAC6442656F4AE9A

The information.exe file in the nformation.zip attachment has a file size of 27,392 bytes.The MD5 checksum is the following string: 0x09E60587ED4A41A5024E28C302E534F3

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: reportphishing@antiphishing.org

Message Body:

Dear user reportphishing@antiphishing.org,
We have received reports that your account was used to send a large amount of spam messages during the recent week.
Most likely your computer was compromised and now runs a hidden proxy server.
Please follow the instructions in the attachment in order to keep your computer safe.
Best wishes,
The antiphishing.org support team.

Or

> Message Body:

Dear Sir/Ma,
Re: CANCELLATION OF Insurance Policy purchased in August 2012
In August 2012 my Son purchased an Insurance policy form you, Unfortunately the policy and cost has not been approved for the amount charged and I believe you or your agent has Acted FRAUDULENTLY and we want it cancelled IMMEDIATELY!! ???attached is the policy and my attorneys advice he gave me as to what to do next if you do not fix this issue.
I would appreciate it if you could organise to get it cancelled ASAP and advise as to why it has been charged this way
I look forward to settling this matter amicably. If, however, the matter is not satisfactorily resolved by the above deadline I will consider taking further action to resolve the complaint either through the Department of Commerce or through the courts.
Yours faithfully,

Or

> Subject: Download Your Exetel Monthly Statement!

Message Body:

Dear Exetel Customer,
Download your Exetel statement of Account for the month August.
Exetel Billing Service.

Or

> Subject: We can not charge your credit card

Message Body:

Amazon Your Account | Help
Your credit card was blocked.
We tried to withdraw money from your credit card, but your bank decline it. In the attachment you will be found a invoice from your last order. Please pay this invoice as soon as possible.
Conditions of Use Privacy Notice © 1996-2012, Amazon.com, Inc. or its affiliates

Or

> Subject: Download your ticket #NR5986

Message Body:

Dear Customer,
ELECTRONIC TICKET / 2 785 1056127308 2
SEAT / 78E/ZONE 2
DATE / TIME 19 OCTOBER, 2012, 10:45 AM
ARRIVING / Irving
FORM OF PAYMENT / CC
TOTAL PRICE / 247.47 USD
REF / KE3151 ST / OK
BAG / 3PC
Your bought ticket is attached.
To use your ticket you should print it.
Thank you for using our airline company services.
American Airlines.

Or

> Subject: D&B iUpdate : Company Order Request

Message Body:

D&B
D&B
D&B iUpdate : Company Request
Thank you,
Your request has been successfully processed by D&B.
All information has been reviewed and validated by D&B.
Please Find your Order Information attached.
iUpdate is D&B's Internet-based service that allows business principals to view, print, and request updates their company information.
CONFIDENTIALITY: The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above, who is an user of D&B - iUpdate service. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication, and the information contained in it, is strictly prohibited. If you are not the intended recipient, please contact D&B and immediately destroy all copies of the original message.
This is an automated mail. Please do not reply to this message.
) Dun & Bradstreet, Inc., 2000-2013. All rights reserved.

Or

> Subject: Scan from a Xerox W. Pro #08994236

Message Body:

Please open the attached document. It was scanned and sent
to you using a Xerox WorkCentre Pro.
Sent by: CHANELLE
Number of Images: 1
Attachment File Type: .PDF [Acrobat Reader file]
Xerox WorkCentre Location: machine location not set

Or

> Subject: Payment Completed

Message Body:

Payment was made available yesterday and i would like for you to verify account info if there is any error.
Regards
Mrs Liz Smith

Or

> Subject: 10 messages. 9/9/2013 8:09:07 AM

Or

> Message Body:

the Bank Details
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Or

> Subject: Loan Account Purchased!!!!!!

Message Body:

Dear Sir/Ma,
Re: CANCELLATION OF Loan account purchased in August 2013
In August 2013 my daughter purchased a loan, Unfortunately the interest and cost has not been approved for the amount charged and I believe you or your agent has Acted FRAUDULENTLY and we want it cancelled IMMEDIATELY!! –attached is the policy and my attorneys advice he gave me as to what to do next if you do not fix this issue.
I would appreciate it if you could organize to get it cancelled ASAP and advise as to why it has been charged this way
I look forward to settling this matter amicably. If, however, the matter is not satisfactorily resolved by the above deadline I will consider taking further action to resolve the complaint either through the Department of Commerce or through the courts.
Yours faithfully,

Or

> Message Body:

please confirm your Account Details (Payment Slip )

Or

> Message Body:

Dear Sir.
This is Lawrence, i contacted you before but you did not reply to my email. I am Mrs. Jenny's friend from Vietnam.
One of our Europe best customer is looking for your product, Please find attachment with every specification, both the thickness and the quality.
Like i said before in my previous email, we do not want a similar product. This is a special request so kindly find attachment in zip file with Picture and other details.
In your reply, Kindly indicate your prices and other details.
waiting for your soonest reply.
Thanks and Best Regard
Thanks and Best Regard
Lawrence Lee

Or

>
Subject: Alert Transactions Report by users from 2014-10-08 to 2014-09-28

Message Body:

Your requested report is attached here.

Or

>
Subject: BKG NO : 2554365150 // AL SHUWAIKH,KUWAIT

Message Body:

Dear Sir,
Please find attached Audited Financial Statements for MCL Freight Services Ltd and CP World (China) Ltd year ended 30.11.14. Kindly let us have all your comments and let us know if we can finalise these Accounts.
Also find attached journal entries made during our audit.
Regards
Lina Tan
Chartist Associates

Or

>
Subject: Tax Return Report!!

Message Body:

Dear Member
Our System has shown your 2013 Tax Return is yet to be filed and here is a report on it. Kindly download the report attacted in this mail for review.
Kindly advise your decision regarding this Return for immediate processing.
Thanks
Internal Revenue Service

Or

> Subject: information

Message Body:

please check the file .some information in it .

Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    32 | Cisco Security has detected significant activity on March 9, 2015. | | 2015-March-10 11:01 GMT
    31 | Cisco Security has detected significant activity on December 7, 2014. | | 2014-December-09 13:44 GMT
    30 | Cisco Security has detected significant activity on October 2, 2014. | | 2014-October-06 14:56 GMT
    29 | Cisco Security has detected significant activity on July 10, 2014. | | 2014-July-11 12:22 GMT
    28 | Cisco Security has detected significant activity on June 15, 2014. | | 2014-June-16 13:41 GMT
    27 | Cisco Security has detected significant activity on March 8, 2014. | | 2014-March-10 13:03 GMT
    26 | Cisco Security has detected significant activity on February 25, 2014. | | 2014-February-26 13:36 GMT
    25 | Cisco Security has detected significant activity on February 5, 2014. | | 2014-February-06 13:38 GMT
    24 | Cisco Security has detected significant activity on December 29, 2013. | | 2014-January-30 12:51 GMT
    23 | Cisco Security has detected significant activity on December 20, 2013. | | 2014-January-17 13:58 GMT
    22 | Cisco Security has detected significant activity on December 20, 2013. | | 2013-December-23 13:34 GMT
    21 | Cisco Security has detected significant activity on December 18, 2013. | | 2013-December-19 13:47 GMT
    20 | Cisco Security has detected significant activity on November 25, 2013. | | 2013-November-26 20:20 GMT
    19 | Cisco Security has detected significant activity on November 13, 2013.

| | 2013-November-14 21:40 GMT
18 | Cisco Security has detected significant activity on October 22, 2013.

| | 2013-October-22 18:46 GMT
17 | Cisco Security has detected significant activity on September 16, 2013.

| | 2013-September-17 14:18 GMT
16 | Cisco Security has detected significant activity on September 12, 2013.

| | 2013-September-13 13:43 GMT
15 | Cisco Security has detected significant activity on September 9, 2013.

| | 2013-September-09 18:07 GMT
14 | Cisco Security has detected significant activity on March 14, 2013.

| | 2013-March-15 22:30 GMT
13 | Cisco Security has detected significant activity on March 13, 2013.

| | 2013-March-14 14:44 GMT
12 | Cisco Security has detected significant activity on March 10, 2013.

| | 2013-March-11 20:01 GMT
11 | Cisco Security has detected significant activity on February 26, 2013.

| | 2013-February-26 18:46 GMT
10 | Cisco Security has detected significant activity on January 30, 2013.

| | 2013-January-30 17:40 GMT
9 | Cisco Security has detected significant activity on November 11, 2012.

| | 2012-November-12 15:55 GMT
8 | Cisco Security has detected significant activity on October 11, 2012.

| | 2012-October-12 13:09 GMT
7 | Cisco Security has detected significant activity on October 2, 2012.

| | 2012-October-11 14:58 GMT
6 | Cisco Security has detected significant activity on October 2, 2012.

| | 2012-October-02 18:05 GMT
5 | Cisco Security has detected significant activity on September 24, 2012.

| | 2012-September-25 21:21 GMT
4 | Cisco Security has detected significant activity on September 21, 2012.

| | 2012-September-25 16:21 GMT
3 | Cisco Security has detected significant activity on September 13, 2012.

| | 2012-September-14 17:46 GMT
2 | Cisco Security has detected significant activity on September 13, 2012.

| | 2012-September-13 20:01 GMT
1 | Cisco Security has detected significant activity on July 27, 2012. | | 2012-July-30 22:05 GMT
Show Less


Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products