The Latest in IT Security

“Fiserv Secure Email Notification” spam


This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.

From: Fiserv Secure Notification [mailto:[email protected]]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification – CC3DK9WJW8IG0F5

You have received a secure message

Read your secure message by opening the attachment,

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password –  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 –  Double-click the encrypted message file attachment to download the file to your computer.
 –  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 –  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to [email protected] to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.

The bad IPs involved are: (Linode, US) (OTEnet, Greece) (Caucasus Online Ltd, Georgia) (1&1, Germany) (AT&T, US) (BSNL Internet, India) (MTNL, India) (ABTS Tamilnadu, India) (Reliance Communications, India) (Caucasus Online Ltd, Georgia) (Telefonica de Argentina, Argentina) (CANTV Servicios, Venezuela) (Telefonica, Spain) (Kyvon, US) (CANTV Servicios, Venezuela) (Doruknet, Turkey)

Recommended blocklist:

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments