Threat Outbreak Alert: Fake Monetary Award Email Messages on July 9, 2013

2013-07-10T14:59:10
ID CISCO-THREAT-30019
Type ciscothreats
Reporter Cisco
Modified 2013-07-10T14:59:10

Description

Medium

Alert ID:

30019

First Published:

2013 July 10 14:59 GMT

Version:

1

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a monetary award for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID6537) may contain the following files:

> productfile.rar
productfile.exe

The productfile.exe file in the productfile.rar attachment has a file size of 308,816 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xAA2B875E744BA29E6A66F544D9BE405A

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: FEDERAL BUREAU OF INVESTIGATION

Message Body:

FEDERAL BUREAU OF INVESTIGATION
FBI Headquarters in Washington, D.C.
J. Edgar Hoover Building
935 Pennsylvania Avenue, NW Washington, D.C. 20535-0001
Website: www.fbi.gov
Attention: FBI Official Notice: The Anti Terrorist and Monetary Crimes Division has discovered through our Global Monitoring Unit that the sum of $10,500,000.00 has been released from the Central Bank of Nigeria to the Bank of America Bearing your name as the beneficiary.
The Central Bank Of Nigeria Knowing fully well that they do not have enough facilities to effect this payment directly into your account from Nigeria, Used what is known as secret Diplomatic Transfer to effect the payment. This method of transfer is applied only when the fund is related to terrorist or money laundering activities.
If your transaction is legit and you are not related to terrorist or money laundering activities, then why must your payment be made via secrete Diplomatic Transfer? and why did you not receive the money directly into your Bank account? For security reasons, the said amount of $10,500,000.00 has been stopped by the FBI for proper investigations before final credit into your personal account.
As a matter of urgency, you are required to provide a Diplomatic Immunity Seal of transfer Certificate from the Fund Originated Country within 72 hours in order to prove that the fund you are about to receive is not related to terrorist or money laundering activities.
Failure to comply with our instructions within 72 hours, will leave us with no other option than to impound the payment and arrest you for money laundering and terrorism which will lead to jail term if you are found guilty as charged.
For further directives regarding the obtaining of the Diplomatic Immunity Seal of transfer Certificate from the Fund originated country, you are required to reconfirm your personal details as required below:
(1) Full Name
(2) Address
(3) Home/Cell Phone
(4) Age, Sex and Occupation
We shall monitor and facilitate the release of your payment of $10,500,000.00 into your personal account upon the confirmation of the needed diplomatic immunity seal of transfer certificate.
Final Warning: You have less than 72 hours to obtain the above mentioned certificate.
Yours In Service,
SPECIAL AGENT PETER PUTZZ
ON BEHALF OF THE FBI DIRECTOR
MR. ROBERT S. MUELLER.

Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    1 | Initial Release | | 2013-July-10 14:59 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products