The Latest in IT Security

“Fiserv Secure Email Notification” spam

16
Apr
2013

This spam has an encrypted ZIP file attached that contains malware. The passwords and filenames will vary.


From: Fiserv Secure Notification [mailto:[email protected]]
Sent: Tue 16/04/2013 14:02
Subject: [WARNING : MESSAGE ENCRYPTED] Fiserv Secure Email Notification – CC3DK9WJW8IG0F5


You have received a secure message

Read your secure message by opening the attachment, Case_CC3DK9WJW8IG0F5.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password –  KsUs3Z921mA

To read the encrypted message, complete the following steps:

 –  Double-click the encrypted message file attachment to download the file to your computer.
 –  Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.
 –  The message is password-protected, enter your password to open it.

To access from a mobile device, forward this message to [email protected] to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.979.7673.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

In the case of the sample I have seen, there is an attachment Case_CC3DK9WJW8IG0F5.zip which unzips using the supplied password to Case_Fiserv_04162013.exe (note the date is encoded into the filename).

At the time of writing, VirusTotal results are just 5/46. The Comodo CAMAS report is here, the ThreatExpert report here and the ThreatTrack sandbox report can be downloaded from here (this is the most detailed one). This seems to be a Zbot variant.


The bad IPs involved are:
50.116.15.209 (Linode, US)
62.103.27.242 (OTEnet, Greece)
78.139.187.6 (Caucasus Online Ltd, Georgia)
87.106.3.129 (1&1, Germany)
108.94.154.77 (AT&T, US)
117.212.83.248 (BSNL Internet, India)
120.61.212.73 (MTNL, India)
122.165.219.71 (ABTS Tamilnadu, India)
123.237.187.126 (Reliance Communications, India)
176.73.145.22 (Caucasus Online Ltd, Georgia)
186.134.148.36 (Telefonica de Argentina, Argentina)
190.39.197.150 (CANTV Servicios, Venezuela)
195.77.194.130 (Telefonica, Spain)
199.59.157.124 (Kyvon, US)
201.211.224.46 (CANTV Servicios, Venezuela)
212.58.4.13 (Doruknet, Turkey)

Recommended blocklist:
korbi.va-techniker.de
mail.yaklasim.com
phdsurvey.org
vbzmiami.com
user1557864.sites.myregisteredsite.com
50.116.15.209
62.103.27.242
78.139.187.6
87.106.3.129
108.94.154.77
117.212.83.248
120.61.212.73
122.165.219.71
123.237.187.126
176.73.145.22
186.134.148.36
190.39.197.150
195.77.194.130
199.59.157.124
201.211.224.46
212.58.4.13

Related posts:
  1. SendSecure Support spam: “You have received a secure message from Bank Of America”
  2. UPS Invoice Notification spam campagin
  3. IRS Notification Letter Email scam
  4. DHL malware spam / secure.dhldispatches.com
  5. Zbot Trojan spreads through fake ConEdison billing notification email

Tags:  
Written by Dynamoo's Blog
0 Comments

Leave a reply


Categories

FRIDAY, APRIL 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments