Threat Outbreak Alert: Fake Bank Account Statement Email Messages on June 18, 2014

2013-09-18T16:04:45
ID CISCO-THREAT-30861
Type ciscothreats
Reporter Cisco
Modified 2014-06-19T12:33:34

Description

Medium

Alert ID:

30861

First Published:

2013 September 18 16:04 GMT

Last Updated:

2014 June 19 12:33 GMT

Version:

16

Summary

  • Cisco Security has detected significant activity related to spam email messages that claim to contain a bank statement notification for the recipient. The text in the message body attempts to persuade the recipient to open the attachment for details. However, the attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID7122, RuleID2970KVR, and RuleID2970_1KVR) may contain the following files:

> Statement_pdf.exe
Order history page.zip
Order history page.pdf.exe
report.zip
report.pdf.exe
MOwFGcj.zip
MNTHCOMRPT1.DOC.exe
calendario con le nuove tariffe abbassate.pdf.zip
calendario con le nuove tariffe abbassate.pdf.scr
2Via-Boleto.pdf.zip
2Via-Boleto.pdf.cpl
Fines_Report.zip
Fines_Report.pdf.exe
Payment_Scan_Copy_pdf.zip
Payment_Scan_Copy_pdf.scr

PDF.zip
payment detail.pdf.exe
Duty_report.zip
Duty_report.pdf.scr
Transfer doc.zip
Transfer doc.exe
Bank Pre Advice...PDF.zip
soft2.exe
Modello Disdetta_CPS_000382941873.PDF.zip
Modello Disdetta_CPS_000569948331.PDF.exe
Report.xls.scr

Invoice.zip
Invoice.jpg.scr

Lottery_coupon.pdf.zip
Lottery_coupon.pdf.scr
PaymentSlip.zip
PaymentSlip.jpg.exe
Boleto92379783201032055025.pdf.zip
Boleto92379783201032055025.pdf.cpl

Rechnung 4754891443.pdf.zip
Rechnung 6495329850.pdf.exe
Dettaglio dei costi.pdf.zip
Dettaglio dei costi.pdf.exe

The Statement_pdf.exe file has a file size of 283,349 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x7143EDF15E0F7AE07E1EA75FEE1FE784

The Order history page.pdf.exe file in the Order history page.zip attachment has a file size of 127,488 bytes. The MD5 checksum is the following string: 0xCC3A40B3AA83C1681D3124BBDD95F0B2

The report.pdf.exe file in the report.zip attachment has a file size of 134,144 bytes. The MD5 checksum is the following string: 0xB412AA2B1A6F2BF31D702DF378759514

The MNTHCOMRPT1.DOC.exe file in the MOwFGcj.zip attachment has a file size of 366,592 bytes. The MD5 checksum is the following string: 0x2F7A417799FC445E82F801B105057772

The_ calendario con le nuove tariffe abbassate.pdf.scr_ file in the calendario con le nuove tariffe abbassate.pdf.zip attachment has a file size of 1,084,416 bytes. The MD5 checksum is the following string: 0xA3F81087C4E6B79C2B5B47F8DB6412D4

The 2Via-Boleto.pdf.cpl file in the_ 2Via-Boleto.pdf.zip_ attachment has a file size of 1,000,448 bytes. The MD5 checksum is the following string: 0xFAACB4A68F7B0F4E669DAC23BAD5E159

The Fines_Report.pdf.exe file in the_ Fines_Report.zip _a file size of 306,176 bytes. The MD5 checksum is the following string: 0x41F10FEFD5D5EDE1E51DEF6B299A67CD

The Payment_Scan_Copy_pdf.scr file in the Payment_Scan_Copy_pdf.zip attachment has a file size of 261,785 bytes. The MD5 checksum is the following string: 0x1FD5BDC9BF04269526514563F33A95C7

The payment detail.pdf.exe file in the PDF.zip attachment has a file size of 825,319 bytes. The MD5 checksum is the following string: 0x0510918C6076A9180D566BD15D703369

The Duty_report.pdf.scr file in the Duty_report.zip attachment has a file size of 280,576 bytes. The MD5 checksum is the following string: 0x000602368EF4F0BEF6603D7DC9B8F2CB

The Transfer doc.exe file in the Transfer doc.zip attachment has a file size of 1,036,103 bytes. The MD5 checksum is the following string: 0x5316AD8C0254E23BFA00E647B78AA08A

The soft2.exe file in the Bank Pre Advice...PDF.zip attachment has an approximate file size of 260,096 bytes. The MD5 checksum is not available.

The Modello Disdetta_CPS_000569948331.PDF.exe file in the Modello Disdetta_CPS_000382941873.PDF.zip attachment has a file size of 259,072 bytes. The MD5 checksum is the following string: 0x0D8D7A8074EE36A626D086F02490AAAB

The Report.xls.scr _file in the _Report.zip attachment has a file size of 75,776 bytes. The MD5 checksum is the following string: 0xBAF43D52864F118871EF90B552926F4F

The Invoice.jpg.scr file in the Invoice.zip attachment has a file size of 163,840 bytes. The MD5 checksum is the following string: 0xEB3EF1E106BA96D44372ACAAB8757AE2

The Lottery_coupon.pdf.scr file in the Lottery_coupon.pdf.zip attachment has a file size of 93,184 bytes. The MD5 checksum is the following string: 0xE92D5DD0D040D9D93A40EC760DA7874B

The PaymentSlip.jpg.exe file in the PaymentSlip.zip attachment has a file size of 945,728 bytes. The MD5 checksum is the following string: 0x1CE3048228EA43008BAB497A83DA4389

The Boleto92379783201032055025.pdf.cpl file in the Boleto92379783201032055025.pdf.zip attachment has a file size of 379,904 bytes. The MD5 checksum is the following string: 0x3C54D4FE1853295F00BEB605853D407E

The Rechnung 6495329850.pdf.exe file in the Rechnung 4754891443.pdf.zip attachment has a file size of 172,032 bytes. The MD5 checksum is not available.

The Dettaglio dei costi.pdf.exe file in the Dettaglio dei costi.pdf.zip attachment has a file size of 288,768 bytes. The MD5 checksum is the following string: 0x2271219D9B4B38F335FC4E27BB0CBBD9

The following text is a sample of the email message that is associated with this threat outbreak:

> Subject: Your Bank Statement

Message Body:

Standard Bank
Account Security Update
Dear Customer
Your Standard Bank account statement is ready. Download the attachment to view your account statement. Our consultants are available between 8am and 9pm on weekdays, and 8am and 4pm on weekends and public holidays.
The Internet banking Team
Moving Forward
Copyright Standard Bank. All rights reserved.
Standard Bank of South Africa Limited (Reg. No. 1962/000738/06). Authorised financial services provider. Registered credit provider (NCRCP15).
Disclaimer and confidentiality note:
Everything in this email and any attachments relating to the official business of Standard Bank Group Limited is proprietary to the group.
It is confidential, legally privileged and protected by law. Standard Bank does not own and endorse any other content.
The person addressed in the email is the sole authorised recipient.
Please notify the sender immediately if it has unintentionally reached you and do not read disclose or use the content in any way.
Standard Bank cannot assume that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference.
For our privacy policy or information about the Standard Bank group visit our website at www.standardbank.co.za.
Standard Bank email disclaimer and confidentiality note
Please go to hxxp://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer@standardbank.co.za (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you.

Or

> Subject: Wells Fargo Advisors

Message Body:

Please review attached documents.
Michael_Burns
Wells Fargo Advisors
817-559-4662817-559-4662 office
817-358-9011817-358-9011 cell Michael_Burns@wellsfargo.com
Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC.
1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

Or

> Message Body:

Salve Siamo lieti di informarvi le nuove tariffe per il transferimento di denaro in alquni paesi
..e non solo
MAGGIORI gudagni per le Agenzie !!!
Entrera in vigore dal 05/03/2014
in allegato il calendario con le nuove tariffe abbassate !
Moneytrans Spa Milano

Or

> Subject: Unpaid surcharges #7463746

Message Body:

Good morning!
You have the fine for traffic violations.
The statement is in the attached ZIP-file.
You have to verify it before April 27th 2014. Your account: FSR/23870.
Else you'll obtain additional punishment.
Yours faithfully, head of Police department #138.

Or

> Subject: Payment details

Message Body:

Dear Sir/ Madam,
Please kindly view payment transfer confirmation attached below. The payment was
made to your account through one of your customers.
Regards

Or

> Subject: fee certificate of your salary N 64946529

Message Body:
Dear taxpayer!
I send you the statement of your contribution on our enterprise for July 2013 in the attached ZIP.
You must fill attached form before April 8033206930743514129446287286th, 2014.

Or

> Message Body:

We have just transferred payment to your account. See attached transfer doc.

Or

> Subject: f909b7db64185d0cb5ba055a8caefa48

Message Body:

Header TelecomItalia
N. Prot. C57981835 del 12/05/2014
Oggetto: Invio modulo: Cessazione Carrier PreSelection
Gentile Cliente,
a seguito della Sua richiesta al Servizio 191, Le inviamo in allegato la documentazione relativa alla
richiesta in oggetto, che La preghiamo di restituire, debitamente sottoscritta, esclusivamente al fax
nr 800 000 577.
Le ricordiamo che sul sito www.impresasemplice.it potrà conoscere ed acquistare on-line le novità e le offerte riservate ai Clienti Business, consultare e pagare le fatture, scaricare duplicati fattura, interagire con il nostro servizio Customer Care 191 inviando una semplice e-mail.
Distinti saluti
Telecom Italia S.p.A.
Servizio Clienti Business
Attenzione: ti invitiamo a non rispondere a questo messaggio; questa casella di posta elettronica non è abilitata alla ricezione.

Or

> Subject: Your personal account was blocked

Message Body:

Good day!
Your personal account was blocked due spam messages.
Your funds: 138.66$, have been blocked for 30 days.
The summary is in the attached archive.
Always sincerely yours, Michigan Cashback Team
To unsubscribe this email - please change your account notifications settings.

Or

> Subject: Your personal account was banned

Message Body:

Good morning!
Your personal account was banned due suspicious activity.
Your funds: 326.87$, have been blocked for 30 days.
The summary is in the attachment.
Yours sincerely, Mississippi NetCash Team
To unsubscribe our announcement - please change your account settings.

Or

> Subject: Memorial Day - charitable lottery

Message Body:

Dearest!
The 37th annual philanthropic Memorial Day lottery will be held on Sa, 17:50.
Review your coupon in the attached file.
---
Very truly yours

Or

> Subject: Re: Payment Slip

Message Body:

Good Day,
Kindly find attached swift copy for $31,000.00 paid into your account today.
Balance will be remitted in coming week. Advice when money has been received.
Accounts Department
Chung Lin

Or

> Message Body:

Gentile cliente, le inviamo il conto dell'impianto numero
Distinti saluti Telecom Italia S.p.A.

> > > > > Cisco Security analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security
Cisco SenderBase Security Network

Call

Send SMS

Add to Skype

You'll need Skype CreditFree via Skype

Revision History

  • Version | Description | Section | Date
    ---|---|---|---
    16 | Cisco Security has detected significant activity on June 18, 2014. | | 2014-June-19 12:33 GMT
    15 | Cisco Security has detected significant activity on June 11, 2014. | | 2014-June-12 14:11 GMT
    14 | Cisco Security has detected significant activity on June 3, 2014. | | 2014-June-04 13:52 GMT
    13 | Cisco Security has detected significant activity on May 28, 2014. | | 2014-May-29 12:57 GMT
    12 | Cisco Security has detected significant activity on May 27, 2014. | | 2014-May-28 12:54 GMT
    11 | Cisco Security has detected significant activity on May 15, 2014. | | 2014-May-16 13:16 GMT
    10 | Cisco Security has detected significant activity on May 12, 2014. | | 2014-May-13 11:42 GMT
    9 | Cisco Security has detected significant activity on April 17, 2014. | | 2014-April-18 12:52 GMT
    8 | Cisco Security has detected significant activity on April 2, 2014. | | 2014-April-04 13:39 GMT
    7 | Cisco Security has detected significant activity on March 24, 2014. | | 2014-March-25 12:23 GMT
    6 | Cisco Security has detected significant activity on March 19, 2014. | | 2014-March-21 12:27 GMT
    5 | Cisco Security has detected significant activity on March 3, 2014. | | 2014-March-04 12:46 GMT
    4 | Cisco Security has detected significant activity on January 9, 2014. | | 2014-January-13 14:14 GMT
    3 | Cisco Security has detected significant activity on October 15, 2013. | | 2013-October-15 19:25 GMT
    2 | Cisco Security has detected significant activity on September 19, 2013. | | 2013-September-20 14:10 GMT
    1 | Cisco Security has detected significant activity on September 17, 2013. | | 2013-September-18 16:04 GMT
    Show Less

Legal Disclaimer

  • THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products