This spam email contains an encrypted ZIP file with password-protected malware.
Date: Mon, 3 Jun 2013 14:11:14 -0500 [15:11:14 EDT]
From: Fiserv Secure Notification [[email protected]]
Subject: Fiserv Secure Email Notification – IZCO4O4VUHV83W1
You have received a secure message
Read your secure message by opening the attachment, SecureMessage_IZCO4O4VUHV83W1.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password – Iu1JsoKaQ
To read the encrypted message, complete the following steps:
– Double-click the encrypted message file attachment to download the file to your computer.
– Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
– The message is password-protected, enter your password to open it.
To access from a mobile device, forward this message to [email protected] to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.840.0668.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.
Of course, it would be supremely pointless password protecting a document and then including the password in the email! The file has been password protected in an attempt to thwart anti-virus software. In this case, the password for the file SecureMessage_IZCO4O4VUHV83W1.zip is Iu1JsoKaQ which in turn leads to a file called SecureMessage_06032013.exe (note the date in included in that filename).
At the moment the VirusTotal detection rate is a so-so 16/47. The ThreatTrack analysis identifies some locations that the malware phones home to:
For the records, those IPs belong to:
18.104.22.168 (ThePlanet, US)
22.214.171.124 (Hanaro Telecom, Korea)
126.96.36.199 (Telmex, Colombia)
188.8.131.52 (Ouverture Service, Italy)
184.108.40.206 (Register.com, US)
Leave a reply