Beware! Malicious Europcar invoice emails spread Trojan horse attack

Filed Under: Featured, Malware, Spam

SophosLabs has intercepted many emails today, attempting to infect Windows computers via an email purporting to be an invoice from a car rental company.

The emails, which pretend to come from Europcar, have a ZIP file attached which contains a malicious payload.

Malicious Europcar email

Subject: Europcar Invoice [random number]
Attached file: EuropCar Invoice.zip

Message body:
Please find your Invoice attached.
This is an automated message, please do not reply to this email.
Should you require further information, please contact Europcar UK Customer Services by emailing to CustomerServicesUK@europcar.com
<mailto:CustomerServicesUK@europcar.com>.
Best Regards,
Europcar UK Ltd
Car hire with great rental deals, holiday offers, and discount UK car rentals.
Europcar UK make car hire quick and easy.
For latest offers and promotions please visit us at: http://www.europcar.co.uk

Sophos products are detecting the attached file, "EuropCar Invoice.zip", as Troj/Invo-Zip.

Of course, the emails don't really come from Europcar - the cybercriminals behind the attack have simply forged the sender's email address.

Car rental. Image from ShutterstockOf course, even if you haven't hired a rental car you might still be concerend that your credit card might have been stung, and open the ZIP file without thinking of the possible consequences.

Once infected, remote hackers can take control of your computer - potentially using it to spam out other attacks or to steal information from you.

Make sure that your anti-virus defences are up-to-date and always be suspicious of unsolicited emails that try to lure you into opening attachments. It could be a ploy by a hacker to hijack your computer.

Car rental image from Shutterstock.

, ,

You might like

4 Responses to Beware! Malicious Europcar invoice emails spread Trojan horse attack

  1. Stampy · 608 days ago

    Invoices always come as in-line HTML and very occasionally as a PDF.
    ... when was the LAST time you saw any "genuine" (commercial) email correspondence containing a zip file? (1980s?)
    Probably wise to exclude ZIP as well as .EXE .COM and all the other virus carriers from your email by filter. If it's EXTERNAL email and contains a zip, it's bad. End Of.
    If you are a geek getting ZIPs scoop it out of your SPAM folder.
    One often wonders how some folks have managed to survive for so long yet be so stupid. You would have thought Darwinism ie road traffic & large busses would have caught up with them by now, and freed up their unwated Genes from the Gene Pool
    If you spammed out a test trojan labeled "Harmfull Virus! Do NOT open this attachemnt" I wonder how many would actually run it? Sadly I suspect a large number.
    "Give a man a fish, he eats for a day. Give a man a boat and fishing rod, he can sit out on the lake drinking beer all day!" ;-)

  2. Luke · 608 days ago

    Good job getting this post up so quickly, we picked this up getting past our filers so thanks for confirming the threat. I've spoken with Europcar and they have confirmed they are aware of the e-mail and are investigating.

  3. Graham · 607 days ago

    Stampy

    That's the sort of unhelpful pompous bilge that doesn't help anyone. Your so clever and we're all so dumb.

    I've worked in IT for 12 years. Picked up a Europcar Hire car yesterday. Fired up my email when I got to the office and saw this email. Clicked on it without giving it a thought and got infected. My AVG Virus Guard is always up to date and it didn't stop this virus. It detected the virus this morning though when I booted up. Said it required a reboot which I did and it didn't manage to boot back up even in safe mode.

    Thought I had a brick and would have to rebuild, but it eventually booted with the Last Known Configuration. Now backing up all my data and running another virus scan.

  4. Steve H · 607 days ago

    A couple of users opened the attatchment. Caught the machines in our Pix logs going to:

    65.55.185.26:80
    178.208.85.217:80 (v61135.vps.mchost.ru)
    87.255.51.229:80 (this-domain-is-sinkholed-by.abuse.ch)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.