Threat Outbreak Alert: Fake Business Complaint Notification Email Messages on January 28, 2014

2013-07-23T15:38:52
ID CISCO-THREAT-30178
Type ciscothreats
Reporter Cisco
Modified 2014-01-29T13:51:02

Description

Medium

Alert ID:

30178

First Published:

2013 July 23 15:38 GMT

Last Updated:

2014 January 29 13:51 GMT

Version:

25

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a business complaint notification for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID6674 and RuleID6674KVR) may contain any of the following files:

> Complaint_443952060888.zip
Complaint_07222013.exe
Package_771184654796.zip
Package_07232013.exe
Complaint_351076421205.zip
Complaint_351076421205.exe
VAT_7239562.zip
VAT_07242013.exe
VAT_2825575.zip
VAT_07302013.exe
VAT_2229326.zip
VAT_06082013.exe
Pacchetto.zip
9611804021938236934224.scr
Report_chris.zip
Report_09092013.exe
TAX_nhn.zip
TAX_11092013.exe
TAX_michael.donovan.zip
TAX_09122013.exe
TAX_fax-1543511.zip
TAX_09232013.exe
VAT_fax-1821402.zip
VAT_09272013.exe
Report_cliffeddison.zip
Report_03102013.exe
TAX_04102013.zip
TAX_04102013.exe
9739-6288.zip
report_10072013.exe
Loan.abland_ap.zip
Loan_0327483474346.exe
File_3199583.zip
File_09102013.exe
Report_antiphishing.org.zip
Report_10162013.exe
VAT_julian.zip
VAT_10252013.exe
Case_GQA2LEH77GA0IAI.zip
Case_11042013.exe
Report_berman.zip
report_11212013.exe
Report_342122287.zip
Report_342122287.exe
Statement_061213.zip
Statement_061213.exe
Complaint_icselect.com.zip
Complaint_09122013.exe
TAX.zip
TAX_12242013.exe
Complaint_551082642602.zip
Complaint_.exe

The Complaint_07222013.exe file in the Complaint_443952060888.zip attachment has a file size of 130,560 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x95B542B1BCBD7D5AEE65F97E9125D90C

The Package_07232013.exe file in the Package_771184654796.zip attachment has a file size of 131,072 bytes. The MD5 checksum is the following string: 0x296887E80B959C1B96D6D9BA6C3A06ED

The Complaint_351076421205.exe file in the Complaint_351076421205.zip attachment has a file size of 131,072 bytes. The MD5 checksum is the following string: 0xBCFC9E927D757CDC470B4A0A9CB33D75

The VAT_07242013.exe file in the VAT_7239562.zip attachment has a file size of 131,072 bytes. The MD5 checksum is the following string: 0x83CCFF215ACDE69F48AEB0A26938F13A

The VAT_07302013.exe file in the VAT_2825575.zip attachment has a file size of 124,928 bytes. The MD5 checksum is the following string: 0x41FB4AB55EC0257E7AF7459E48D58687

The VAT_06082013.exe file in the VAT_2229326.zip attachment has a file size of 123,904 bytes. The MD5 checksum is the following string: 0x81C0D1140A4BF5959EF30D3AE242B9CC

The 9611804021938236934224.scr file in the Pacchetto.zip attachment has a file size of 932,239 bytes. The MD5 checksum is the following string: 0x6654FD6057423A3505E80B18CB2FE671

A variant of the 9611804021938236934224.scr file in the Pacchetto.zip attachment has a file size of 1,209,937 bytes. The MD5 checksum is the following string: 0x32BB9F3AD2BA6A3DD5033E3083E0A269

The Report_09092013.exe file in the Report_chris.zip attachment has a file size of 43,008 bytes. The MD5 checksum is the following string: 0xDFCD03CC2384DF224B3AC6CE97CA39DC

The TAX_11092013.exe file in the TAX_nhn.zip attachment has a file size of 20,992 bytes. The MD5 checksum is the following string: 0x9F68AE8267182BF1BE4E5BB6C75022B8

The TAX_09122013.exe file in the TAX_michael.donovan.zip attachment has a file size of 20,992 bytes. The MD5 checksum is the following string: 0xE691C7D7C7394FD3BE822CCB382021DA

The TAX_09232013.exe file in the TAX_fax-1543511.zip attachment has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xF48606131439A9D5F773259E1238BB84

The VAT_09272013.exe file in the VAT_fax-1821402.zip attachment has a file size of 24,576 bytes. The MD5 checksum is the following string: 0xA1A9E79F2FDAE173F664514EDCAAFA5A

The Report_03102013.exe file in the Report_cliffeddison.zip attachment has a file size of 25,600 bytes. The MD5 checksum is the following string: 0x1149F06A496D408937F53CAEDAA832BA

The TAX_04102013.exe file in the TAX_04102013.zip attachment has a file size of 24,576 bytes. The MD5 checksum is the following string: 0x2A0D540B46CD5A9A15971628B5FBF789

The report_10072013.exe file in the 9739-6288.zip attachment has a file size of 23,552 bytes. The MD5 checksum is the following string: 0x0798687A993B98EBF5E87A6F78311F32

The Loan_0327483474346.exe file in the Loan.abland_ap.zip attachment has a file size of 159,744 bytes. The MD5 checksum is the following string: 0xB58778251CCCDC7148FA6342CDB792A0

The File_09102013.exe file in the File_3199583.zip attachment has a file size of 23,040 bytes. The MD5 checksum is the following string: 0xFCA250F3239FC3EA70C33DC884DD7418

The Report_10162013.exe file in the Report_antiphishing.org.zip attachment has a file size of 26,624 bytes. The MD5 checksum is the following string: 0xE9699457FFC92C1B1C0B26588B2FAB56

The VAT_10252013.exe file in the VAT_julian.zip attachment has a file size of 18,944 bytes. The MD5 checksum is the following string: 0x8ADD936DE663BA9CD5E0097BEFF8783D

The Case_11042013.exe file in the Case_GQA2LEH77GA0IAI.zip attachment has a file size of 25,088 bytes. The MD5 checksum is the following string: 0xF5CB37F9833C928CC8EED8F8869FF535

The_ report_11212013.exe_ file in the Report_berman.zip has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xF07A69866BD4ADBBF5E670028A682405

The Report_342122287.exe file in the_ Report_342122287.zip_ attachment has a file size of 20,992 bytes. The MD5 checksum is the following string: 0x2964A60E88F0DD8A12C07CEFA8B18C6C

The Statement_061213.exe file in the _Statement_061213.zip _attachment has a file size of 17,408 bytes. The MD5 checksum is the following string: 0xDDD79DF28615E19DA20EEA2E708DBD5C

The Complaint_09122013.exe file in the Complaint_icselect.com.zip attachment has a file size of 13,824 bytes. The MD5 checksum is the following string: 0x3346058C4BC09EA0ADE7F5BBA66F27D0

The TAX_12242013.exe file in the TAX.zip attachment has a file size of 13,824 bytes. The MD5 checksum is the following string: 0x5137A528DC3918CAB602CCFF01C041CB

The Complaint.exe_ file in the Complaint_551082642602.zip attachment has a file size of 17,408 bytes. The MD5 checksum is the following string: 0x8163D272C4975B1D7ED578B4D24B3D2A

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: 71148bdbb27bedde17c28079eeb3bcb8

Message Body:

Internal Revenue Service
You have received a complaint in regards to your business services.
The complaint was filled by Mr./Mrs. Balbino FREYTES on 07/22/2013/
Case Number: 443952060888
Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email.
Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them: Claims based on product liability; Claims for personal injuries; Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.
The decision as to whether your dispute or any part of it can be arbitrated rests solely with the IRS.
The IRS offers a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.
2013 Council of IRS, Inc. All Rights Reserved.

Or

> Subject: Successful Receipt of Online Submission for Reference 7239562

Message Body:

Thank you for sending your VAT Return online. The submission for reference 7239562 was successfully received on Wed, 24 Jul 2013 02:35:46 -0500 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Or

> Message Body:

Gentile cliente,
Abbiamo tentato di consegnare il tuo articolo il 27 Agosto 2013, 08:50 AM.
Il tentativo di recapito fallito, perché nessuno era presente nel indirizzo di spedizione, in modo tale notifica è stata inviata automaticamente.
Puoi sistemare riconsegna visitando il link sottostante o prendere l'oggetto al più vicino ufficio postale di consegna indicato sulla ricevuta.
Se il pacchetto non è prevista per la riconsegna o ritirati entro 48 ore, verrà restituita al mittente.
Etichetta/Numero della ricevuta: 9611804021938236934224
Data di consegna prevista: 27 Agosto 2013
Classe: servizi del pacchetto internazionali
servizio(i): la conferma di consegna
Stato: Notifica inviata
Per controllare lo stato di consegna del vostro pacchetto o organizzare riconsegna si prega di visitare il seguente URL:
hxxps: //www.fedex.com/
Per scaricare la fattura commerciale, in formato PDF, necessario per la riconsegna, scaricare il file:
phone: 1-810-302-6692
Grazie,
Copyright © 2013 FEDEX. Tutti i diritti riservati.na
Questa è una mail generata automaticamente, per favore non rispondere

Or

> Subject: Response to Delivered Fax

Message Body:

The attached mail was received in response to a Fax2Mail user
for which you are listed as an administrator.
Thank you for sending your VAT Return online. The submission for reference 4647141 was successfully received on Mon, 23 Sep 2013 20:38:55 +1200 and is being processed. Make VAT Returns is just one of the many online services we offer that can save you time and paperwork.
For the latest information on your VAT Return please open attached report.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Cable&Wireless Worldwide in partnership with MessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.

Or

> Subject: Notification of direct debit of fees

Message Body:

**Notification Date: 03/10/2013
Notification Number: 357386931
Mandate Number: 8550643

THIS IS AN AUTO NOTIFICATION EMAIL. DO NOT REPLY TO THE SENDER OF THIS EMAIL. IF YOU HAVE A QUERY PLEASE REFER TO THE INFORMATION BELOW ###

This is notification that Land Registry will debit 218.00 GBP from your nominated account on or as soon as possible before 04/10/2013.
Details of fees that we shall be collecting by direct debit for the applications charged are now available to view.
You can access these by opening attached report.
If you have an enquiry relating to your VDD account please contact Customer Support at customersupport@landregistry.gsi.gov.uk or call on 0844 892 1111. For all enquiries, please quote your key number.
Thank you,
Land Registry**

Or

> Subject: 9739-6288

Message Body:

Please see the attached Iolta report for 9739-6288.
We received a check request in the amount of $19,260.36 for the above referenced file. However, the attached report reflects a $0 balance. At your earliest convenience, please advise how this request is to be funded.
Thanks.
Galen_Page *
Accounts Payable
National Bankruptcy Services, LLC
9441 LBJ Freeway, Suite 250
Dallas, TX 75243
Galen_Page@NBSDefaultServices.com

Or

> Subject: RE: Loan Approved

Message Body:

Your documents are ready , please sign them and email them back.
Thank you
Phillip_Benjamin
Level III Account Management
817-007-5357 office
817-351-5675 cell
Phillip_Benjamin@citibank.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
The security of personal information about you is our priority. We protect this information by maintaining physical, electronic, and procedural safeguards that meet applicable law. We train our employees in the proper handling of personal information. When we use other companies to provide services for us, we require them to protect the confidentiality of personal information they receive.
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Or

> Subject: FW: File 3199583

Message Body:

You can find your file attached.
Regards,
Ginger Mccoy

Or

> Subject: You have received a new debit

Message Body:

Wednesday 16 October 2013
This is an automatically generated email by the Lloyds TSB PLC LloydsLink online payments Service.
The details of the payment are attached.

Or

> Message Body:

Every man and woman wants to be sure in his/her bank account even if he or she denies the fact.
With all that pals hate to be responsible for their own well being and toil every single day.
Of course, we do not promise you pounds of cash wads but with our plain and wise method you can say "goodbye" to tough limits that you have now.
Take your time and teach yourself to get rapid dollars simply within hours.
You will always receive enough for burning presents, parties, picnics and pleasure trips and your usual lifestyle will become happier.
Follow here for more details : kimmyjobhomereport.com/breaking_news/

Or

> Subject: FW: Case 4580010

Message Body:

This message has been generated in response to the company complaint submitted to Companies House WebFiling service.
(CC01) Company Complaint for the above company was accepted on 09/12/2013.
The submission number is 4580010 - icselect.com
Please quote this number in any communications with Companies House.
All WebFiled documents are available to view / download for 10 days after their original submission. However it is not possible to view copies of accounts that were downloaded as templates.
Not yet filing your accounts online? See how easy it is...
Note: reference to company may also include Limited Liability Partnership(s).
Thank you for using the Companies House WebFiling service.
email enquiries@companieshouse.gov.uk
Note: This email was sent from a notification-only email address which cannot accept incoming email. Please do not reply directly to this message.

Or

> Subject: Australian Taxation Office - Refund Notification

Message Body:

IMPORTANT NOTIFICATION
Australian Taxation Office - 12/24/2013
After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 5694.67 AUD.
For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.
Jeremy Gallagher,
Tax Refund Department
Australian Taxation Office


Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    25 | Cisco Security has detected significant activity on January 28, 2014. | | 2014-January-29 13:51 GMT
    24 | Cisco Security has detected significant activity on December 23, 2013. | | 2014-January-02 19:45 GMT
    23 | Cisco Security has detected significant activity on December 9, 2013. | | 2013-December-10 13:27 GMT
    22 | Cisco Security has detected significant activity on December 5, 2013. | | 2013-December-09 16:24 GMT
    21 | Cisco Security has detected significant activity on November 28, 2013. | | 2013-December-02 22:59 GMT
    20 | Cisco Security has detected significant activity on November 21, 2013.

| | 2013-November-22 17:29 GMT
19 | Cisco Security has detected significant activity on November 3, 2013.

| | 2013-November-05 16:08 GMT
18 | Cisco Security has detected significant activity on October 25, 2013.

| | 2013-October-25 15:24 GMT
17 | Cisco Security has detected significant activity on October 16, 2013.

| | 2013-October-16 17:25 GMT
16 | Cisco Security has detected significant activity on October 9, 2013.

| | 2013-October-10 17:28 GMT
15 | Cisco Security has detected significant activity on October 9, 2013.

| | 2013-October-09 20:55 GMT
14 | Cisco Security has detected significant activity on October 7, 2013.

| | 2013-October-08 13:58 GMT
13 | Cisco Security has detected significant activity on October 4, 2013.

| | 2013-October-07 13:57 GMT
12 | Cisco Security has detected significant activity on September 27, 2013.

| | 2013-September-27 12:58 GMT
11 | Cisco Security has detected significant activity on September 23, 2013.

| | 2013-September-23 17:47 GMT
10 | Cisco Security has detected significant activity on September 12, 2013.

| | 2013-September-12 15:15 GMT
9 | Cisco Security has detected significant activity on September 11, 2013.

| | 2013-September-11 15:12 GMT
8 | Cisco Security has detected significant activity on September 9, 2013.

| | 2013-September-09 14:40 GMT
7 | Cisco Security has detected significant activity on September 2, 2013.

| | 2013-September-03 13:59 GMT
6 | Cisco Security has detected significant activity on August 27, 2013.

| | 2013-August-27 13:50 GMT
5 | Cisco Security has detected significant activity on August 6, 2013.

| | 2013-August-07 12:42 GMT
4 | Cisco Security has detected significant activity on July 30, 2013.

| | 2013-July-30 14:26 GMT
3 | Cisco Security has detected significant activity on July 24, 2013.

| | 2013-July-24 15:23 GMT
2 | Cisco Security has detected significant activity on July 23, 2013.

| | 2013-July-24 12:08 GMT
1 | Cisco Security has detected significant activity on July 23, 2013. | | 2013-July-23 15:38 GMT
Show Less


Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products