Watch out! Widespread wire transfer confirmation emails carry malware

Filed Under: Featured, Malware, Spam

Cybercriminals have widely spammed out a malware campaign today, posing as a confirmation email about a wire transfer.

A typical email looks like this:

Email malware

Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-[random number]

You can find details in the attached file. (Microsoft Word format)

The precise subject line used by the emails can vary, as the below snapshot demonstrates:

Malware subject lines

Attached to the emails is a file called (obviously the spammers could change this filename at any time) which contains an executable file.

Sophos is adding detection of the ZIP file as Troj/BredoZp-KQ and the Trojan horse contained within as Troj/Bredo-ZT. Users of Sophos's anti-spam solutions were already protected.

Money transfer. Image from ShutterstockInterestingly, in the example above, the malicious email claims to have come from Habbo Hotel - a virtual community which has had its fair share of bad headlines recently.

Other email addresses in the current "wire transfer" malware campaign claim to come from LinkedIn (just after the exposure of their embarrassing password security), UPS and other seemingly random addresses.

Which makes me wonder - are the spammers just having a laugh at our expense?

The fact is that if you're reading sites like Naked Security, and keeping informed of the latest threats and tricks used by cybercriminals, you are quite unlikely to be duped by a malware attack like this one.

But there are plenty of other, less security-savvy, people out there. Make it your goal today to get one of the "not-we" clued up about security. Introduce them to Naked Security, and suggest that they get a clue.

You could be doing someone a favour that will make all of us that little bit safer.

Money transfer image courtesy of Shutterstock.

, ,

You might like

6 Responses to Watch out! Widespread wire transfer confirmation emails carry malware

  1. Bill · 1158 days ago

    Can you tell us what vulnerabilities it exploits? It doesn't say on the Sophos reference page for Troj/Bredo-ZT. Want to see if we're protected from a patch management standpoint...

    • I don't believe it's exploiting any vulnerabilities. Other than the bug in people's brain that tricks them into clicking on unsolicited attachments..

      Good luck patching that one.

  2. A female reader · 1158 days ago

    "You may not be the kind of fellow who would fool for the attack..."

    Seriously? Typo ("fool") aside, way to assume all your readers are male.

  3. Michael Natale · 1158 days ago


    Im just curious - since the "from" domain is almost certainly spoofed, why not post the real IP addresses of the bad/compromised mail servers where these emails are actually coming from?

    At least we could proactively block the incoming mail by IP while we wait for other antispam vendors to add detection for this...


  4. Laura · 1107 days ago

    I just received an email w/attachment from "". This address ALMOST fooled me, but the attachment was my first red flag, then after looking back at it just now, I noticed "Fwd"--which I hadn't caught before. The subject line is "Fwd: Wire Transfer (91824MR358)". I have no current dealings with UPS, other than receiving shipments, from vendors primarily. It is still sitting in my spam folder, and I intend to delete it without looking after reading this thread. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley