Threat Outbreak Alert: Fake Payment Confirmation Notification Email Messages on January 7, 2014

2013-09-06T19:48:39
ID CISCO-THREAT-30679
Type ciscothreats
Reporter Cisco
Modified 2014-01-08T13:30:29

Description

Medium

Alert ID:

30679

First Published:

2013 September 6 19:48 GMT

Last Updated:

2014 January 8 13:30 GMT

Version:

25

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a copy of a money transfer receipt for the recipient. The email message instructs the recipient to open the .zip _attachment to view the details. However, the .zip_ attachment contains a malicious .scr file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID4466KVR, RuleID4466KVR_1, and 4466KVR_1KVR) and Alert 26690 may contain any of the following files:

> payment slip ttcopy.zip
payment slip ttcopy.exe
Swift copy.zip
Swift copy.exe
TT COPY.zip
Supply Order.scr
swift copy.zip
quotation0047.exe
TT COPY-1.zip
TT COPY.exe
Swift Copy.pdf.scr
OriginalDocument1.exe
OriginalDocument2.exe
Contratto.zip
Documento.pif
Swift (1).zip
Swift.exe
TRCOPY.zip
TRCOPY.scr
PO.zip
PO.scr
swift_copy.rar
swift_copy.scr
TT Payment Swift Copy.zip
TT Payment Swift Copy.exe
TT COPY (3).zip
trcopy.zip
TR8607465342Copy.exe
TR8607465362Copy.exe
T T Application.zip
tt copy.exe
INVOICE.zip
INVOICE.scr
SWIFT.zip
Swift Copy.zip
Swift Copy.scr
PAYMENT SLIP.zip
New_Order.PI.092.exe
INVOICE AND BANK DETAILS.zip
soft_crypted.exe
Copy.zip
Copy.exe

The payment slip ttcopy.exe file in the payment slip ttcopy.zip attachment has a file size of 884,736 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xBBC3FBACD9867896CC702E64E631CBE4

The Swift copy.exe file in the Swift copy.zip attachment has a file size of 610,304 bytes. The MD5 checksum the following string: 0x2501D30E3585F8C80303CFE7EC8E8FB1

The Supply Order.scr file in the TT COPY.zip attachment has a file size of 2,083,840 bytes. The MD5 checksum is the following string: 0x331793715631034557613D808727E7D5

The quotation0047.exe file in the swift copy.zip attachment has a file size of 301,269 bytes. The MD5 checksum is the following string: 0x1DD3A0387F8DEC3AEBD878D8A3CD5B9C

The TT COPY.exe file in the TT COPY-1.zip attachment has a file size of 853,160 bytes. The MD5 checksum is the following string: 0x1916CB81E8111A92B923459FA89F7E23

The Swift Copy.pdf.scr file in the Swift Copy.zip attachment has a file size of 1,421,758 bytes. The MD5 checksum is the following string: 0x59EE81B1A3BB80085D5DFF7F2F2C1D3B

The OriginalDocument1.exe file in the TT copy.zip attachment has a file size of 393,216 bytes. The MD5 checksum is the following string: 0x76A051C62DD86C033173711C0D3371B7

The OriginalDocument2.exe file in the TT copy.zip attachment has a file size of 135,168 bytes. The MD5 checksum is the following string: 0x8E8D012D2B306C95D3095DBEF0A73028

The Documento.pif file in the Contratto.zip attachment has a file size of 3,759,024 bytes. The MD5 checksum is the following string: 0xCBCD020D3E650BCD0F527499CC5F28C2

The Swift.exe file in the _Swift (1).zip _attachment has a file size of 1,083,392 bytes. The MD5 checksum is the following string: 0xF6B6DDE74753BC47AEF9CBE425534297

The TRCOPY.scr file in the TR COPY.zip attachment has a file size of 909,312 bytes. The MD5 checksum is the following string: 0x7E785E346CB57BE178C104D891F031C0

The PO.scr file in the PO.zip attachment has a file size of 1,306,679 bytes. The MD5 checksum is the following string: 0x16091C7EA20743F7FF89B3B3A32FE57F

The swift_copy.scr file in the swift_copy.rar attachment has a file size of 1,120,845 bytes. The MD5 checksum is the following string: 0x0B7D56BCBE3D7665032E2F955A5FC86C

The TT Payment Swift Copy.exe file in the TT Payment Swift Copy.zip attachment has a file size of 1,109,783 bytes. The MD5 checksum is the following string: 0xDB99931674D815862D751BBF8AA30813

A variant of the TT COPY.exe file in the TT COPY (3).zip attachment has a file size of 729,761 bytes. The MD5 checksum is the following string: 0x9B932DACDBA6EE48242C70730F834F37

The TR8607465342Copy.exe file in the TRCopy.zip attachment has a file size of 475,136 bytes. The MD5 checksum is the following string: 0x57AB2F897EFE1C1EBCF3894E7A4F9A90

The TR8607465362Copy.exe file in the TRCopy.zip attachment has a file size of 733,184 bytes. The MD5 checksum is the following string: 0x203E77CCAA19FA916CC305A028DB6CBD

The tt copy.exe file in the T T Application.zip attachment has a file size of 899,745 bytes. The MD5 checksum is the following string: 0x5DBC90157A7E72CD830981E431132C07

The INVOICE.scr file in the INVOICE.zip attachment has a file size of 308,225 bytes. The MD5 checksum is the following string: 0x68A868815DEAA315B9678A291E4E04D9

A variant of the SWIFT COPY.exe file in the_ SWIFT COPY.zip_ attachment has a file size of 1,073,743 bytes. The MD5 checksum is the following string: 0x2C4635ADD3E19FE2D8718BEDA3F98035

A variant of the_ SWIFT.exe file in the _SWIFT.zip attachment has a file size of 254,464 bytes. The MD5 checksum is the following string: 0xC7DF63767E030FF5B3ACEEBDB4077F77

The Swift Copy.scr file in the Swift Copy.zip attachment has a file size of 249,345 bytes. The MD5 checksum is the following string: 0x9F56F7BAC4D62675180EC57EB6C5ADD1

The New_Order.PI.092.exe file in the PAYMENT SLIP.zip attachment has a file size of 785,579 bytes. The MD5 checksum is the following string: 0x7ADE9BA232AC8923BD716F252EDC4C61

A variant of the PO.scr file in the_ PO.zip _attachment has a file size of 450,873 bytes. The MD5 checksum is the following string: 0x57DCF3469D9B0E2490D04EE5CA7714CA

A third variant of the PO.scr file in the PO.zip attachment has a file size of 434,489 bytes. The MD5 checksum is the following string: 0x55D813755CD76100BC19B0FF12F2E65E

A variant of the INVOICE.SCR file in the INVOICE AND BANK DETAILS.zip attachment has a file size of 295,526 bytes. The MD5 checksum is the following string: 0xD16B71FA165C7CB747DBCD668C00D7E4

A third variant of the Invoice.scr _file in the _Invoice.zip attachment has a file size of 949,013 bytes. The MD5 checksum is the following string: 0x7D4DBCCEA549C402743082116F43A0F8

A fourth variant of the_ invoice.scr_ file in the_ invoice.zip _attachment has a file size of 1,472,000 bytes. The MD5 checksum is the following string: 0xC47CF91648BB431CEB38E2589066706F

The soft_crypted.exe file in the TT COPY.zip attachment has a file size of 233,984 bytes. The MD5 checksum is the following string: 0x4D2C031332833964FDDD7805E1D750F8

The Copy.exe file in the Copy.zip attachment has a file size of 1,638,755 bytes. The MD5 checksum is the following string: 0x67A5766EDB6D1DE3961AE8E83A92FDE3

The following text is a sample of the email message that is associated with this threat outbreak:

> Message Body:

Dear Sir / Ma ,
Good Day,
I Attached the TTCOPY, I Travelled to china and i just came back today, I am really sorry for my late reply, I sent the payment to the Account Number on the proforma invoice
Also inform us your lead time for delivery to Bangladesh. Please this order very important and time is not very much on our side.
move the message into your inbox folder so as for you to be able to download payment slip copy
Thanks and best regards.
Your's truly,
sabrina
President/CEO.

Or

> Message Body:

Hello Dear
Your customer instructed us to transfer the balance payment to your account and e mail you the swift copy and also a copy to his own e mail, we are sorry for the delay in the balance payment, we have transferred the balance to your account, attached is the swift copy of the balance payment
.
Regards Mr Peter Bin
Economic Exchange Centre. 116/356 naif road,deirai,
U.A.E Po Box:116496

Or

> Message Body:

Dear,
How are you today?
Please confirm details to enable me to finalize the deposit
transfer today.
Kindly see Attached
documents to find our TT copy but please correct
your Bank swift on the form and send by email
attachment so that i can finalize the Wire Transfer today as
requested by my colleague.
I await your urgent confirmation.
AMED
Head (Branch Office)
Shop No 2 , Omani Halwa Building,
Rolla Street,
Rolla,Sharjah
United Arab Emirates.

Or

> Message Body:

Dear Sir,
Today we have remit $473,688.00 against $910,550.00 by swift transfer into your bank account and the details of the same attached to this mail.
Please confirm the receipt of the amount and do the needful.
Thanking you & assuring you best co-operation at all times.
Best Regards,
Jahan & Goshi Industrial Co., Pvt. Ltd
"Please Consider the Environment before Printing This Email"
Disclaimer:
*************
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system.
*

Or

> Message Body:

Trasmettiamo contratto in allegato.
Saluti.

Or

> Subject: swift payment!

Message Body:

As discussed attached is a copy of the swift copy of the wire transfer.
Please kindly open the zip file to see the swift copy and confirm your details is writing correctly.
You maybe required to click RUN to download for clear view.
Thanks
Paolo

Or

> Message Body:

This is my new email address. Sorry for delay in sending TT. Attached is TT 34,700.
Thank you for your patience and coperation with us.

Or

> Message Body:

Dear Sir
We have paid the money to your account, do let us know once you receive
the fund in your account.attached is the account for the payment
Thanks
Zaheer Inamoto Oshu

Or

> Subject: Message copied from system quarantine

Message Body:

Dear Sir,
Payment instruction from our customer, Please kindly find attached T/T payment made accordingly
as discussed with our customer.
Waiting Soon Hearing From You...
Regards
Manager
HSBC

Or

> Message Body:

This is my new email.No response from you, we have already sent TT 34,700USD. Attached is TT of 34,700 USD.

Or

> Subject: Dear Sir

Message Body:

Dear Sir,
Please find attached a copy of the TT application and find out if it corresponds with the account information attached by the buyer.
Rgds,
Foodchem Industries Co., Ltd.
Contact: Ms. Cherry zheng
Manager, Operations
Telephone: 86-579-876682088
Mobile Phone: 86-139679732544
Fax: 86-579-876622922
skype: fabby2lurd
Address: Gumashan, Wangzhai,
Wuyi City, Zhejiang Province,
China, 321200.
Website: www.foodchem.cn
senders name: Ms. Cherry zheng

Or

> Message Body:

Dear Sir,
We refer to the above mentioned payment matter. Please be informed that we have made enough funds available now to enable us complerte
payment as scheduled.
Find attachedd herein your PI, Kindly confirm the bank account included and advise us if we should go on with the payment.
As agreed in out contract , the BL original copies of shipment for PI 0
393 and 0494 should be forwarded to us via DHL Courier upon receipt/ confirmation
of payment in your bank account
Hadeem Baraj

Or

> Message Body:

KINDLY FIND ATTACHED SWIFT COPY , PLEASE VERIFY IF BENEFICIARY INFORMATIONS IS CORRECT ,
BEST REGARDS
Mohammad Adam

Or

> Message Body:

Please do not delay our shippment, We have finally wired the balance payment to your account today.
Please confirm from your bank and proceed with shipment .
We await your confirmation of payment.
Best regards
Ahmed Mohamed Fathy

Or

> Message Body:

ear Sir
Can you inform me about the following for your product?
We need information, please let us know the following;
a
1. Minimum order quantity
2. Delivery time
3. Payment terms
4. Warranty
5. Can you supply us regularly in large quantity if We establish a business relationship with you.
Please also find in the attached requested product sample needed by our customer to check and see if you got in stock.
Waiting to hear from you soon and hope for a good business start.
MS CHEW LEE

Or

> Message Body:

Dear Sir,
We have been instructed to remit the invoice amount to the bank details as show on the attached invoice documents by your client.
Kindly cross check the invoice and confirm the bank details included so we can proceed with remittance to the account details show in the invoice
Best Regards

Or

> Subject: Check for TT Copy.

Message Body:

Dear sir ,
How are you doing , this is to inform you that we have made the payment in your company favor , you are to view the attachment TT slip for the recipt of the payment .
Kindly send us the appropriate product as we have demanded.
Regards
Michael Porter

Or

> Subject: Please Confirm the Payment Slip

Message Body:

Dear Friend
I sent you the payment slip for the money i sent to your account yesterday and i did not hear from you. Please download the attachment to preview the payment slip. and confirm to me if the money has reflected in your account. Get back to me immediately you confirm it.
Regards
Angel Castro

Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    25 | Cisco Security has detected significant activity on January 7, 2014. | | 2014-January-08 13:30 GMT
    24 | Cisco Security has detected significant activity on December 18, 2013. | | 2013-December-19 13:47 GMT
    23 | Cisco Security has detected significant activity on December 9, 2013. | | 2013-December-10 13:29 GMT
    22 | Cisco Security has detected significant activity on December 3, 2013. | | 2013-December-05 15:09 GMT
    21 | Cisco Security has detected significant activity on December 2, 2013. | | 2013-December-03 17:19 GMT
    20 | Cisco Security has detected significant activity on November 22, 2013. | | 2013-November-25 14:53 GMT
    19 | Cisco Security has detected significant activity on November 19, 2013. | | 2013-November-20 14:37 GMT
    18 | Cisco Security has detected significant activity on November 15, 2013.

| | 2013-November-18 16:31 GMT
17 | Cisco Security has detected significant activity on November 8, 2013.

| | 2013-November-08 21:11 GMT
16 | Cisco Security has detected significant activity on November 5, 2013.

| | 2013-November-06 16:18 GMT
15 | Cisco Security has detected significant activity on October 27, 2013.

| | 2013-October-29 14:46 GMT
14 | Cisco Security has detected significant activity on October 24, 2013.

| | 2013-October-24 15:57 GMT
13 | Cisco Security has detected significant activity on October 22, 2013.

| | 2013-October-23 16:07 GMT
12 | Cisco Security has detected significant activity on October 22, 2013.

| | 2013-October-22 18:44 GMT
11 | Cisco Security has detected significant activity on October 21, 2013.

| | 2013-October-22 14:37 GMT
10 | Cisco Security has detected significant activity on October 17, 2013.

| | 2013-October-18 14:13 GMT
9 | Cisco Security has detected significant activity on October 15, 2013.

| | 2013-October-16 17:47 GMT
8 | Cisco Security has detected significant activity on October 14, 2013.

| | 2013-October-15 14:15 GMT
7 | Cisco Security has detected significant activity on October 14, 2013.

| | 2013-October-14 19:22 GMT
6 | Cisco Security has detected significant activity on October 4, 2013.

| | 2013-October-07 18:33 GMT
5 | Cisco Security has detected significant activity on September 20, 2013.

| | 2013-September-23 14:08 GMT
4 | Cisco Security has detected significant activity on September 19, 2013.

| | 2013-September-20 14:09 GMT
3 | Cisco Security has detected significant activity on September 16, 2013.

| | 2013-September-16 14:12 GMT
2 | Cisco Security has detected significant activity on September 13, 2013.

| | 2013-September-13 13:48 GMT
1 | Cisco Security has detected significant activity on September 6, 2013. | | 2013-September-06 19:48 GMT
Show Less


Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products