Sophos Cloud Optix
Cybercriminals have widely spammed out a malware campaign today, posing as a confirmation email about a wire transfer.
A typical email looks like this:
Subject: Fwd: Re: Wire Transfer Confirmation
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-[random number]
CURRENT STATUS: REJECTEDYou can find details in the attached file. (Microsoft Word format)
The precise subject line used by the emails can vary, as the below snapshot demonstrates:
Attached to the emails is a file called Transaction_N48823.zip (obviously the spammers could change this filename at any time) which contains an executable file.
Sophos is adding detection of the ZIP file as Troj/BredoZp-KQ and the Trojan horse contained within as Troj/Bredo-ZT. Users of Sophos’s anti-spam solutions were already protected.
Interestingly, in the example above, the malicious email claims to have come from Habbo Hotel – a virtual community which has had its fair share of bad headlines recently.
Other email addresses in the current “wire transfer” malware campaign claim to come from LinkedIn (just after the exposure of their embarrassing password security), UPS and other seemingly random addresses.
Which makes me wonder – are the spammers just having a laugh at our expense?
The fact is that if you’re reading sites like Naked Security, and keeping informed of the latest threats and tricks used by cybercriminals, you are quite unlikely to be duped by a malware attack like this one.
But there are plenty of other, less security-savvy, people out there. Make it your goal today to get one of the “not-we” clued up about security. Introduce them to Naked Security, and suggest that they get a clue.
You could be doing someone a favour that will make all of us that little bit safer.
Money transfer image courtesy of Shutterstock.
Graham,
Can you tell us what vulnerabilities it exploits? It doesn't say on the Sophos reference page for Troj/Bredo-ZT. Want to see if we're protected from a patch management standpoint…
I don’t believe it’s exploiting any vulnerabilities. Other than the bug in people’s brain that tricks them into clicking on unsolicited attachments..
Good luck patching that one.
"You may not be the kind of fellow who would fool for the attack…"
Seriously? Typo ("fool") aside, way to assume all your readers are male.
I accept the mistake about "fool"/"fall".. sorry. My fault. Now fixed. Thanks for pointing it out.
Even though I would be prepared to argue as to whether "fellow" is male-only (see http://oxforddictionaries.com/definition/fellow), I've changed it to person to avoid any ambiguity. 🙂
Graham,
Im just curious – since the "from" domain is almost certainly spoofed, why not post the real IP addresses of the bad/compromised mail servers where these emails are actually coming from?
At least we could proactively block the incoming mail by IP while we wait for other antispam vendors to add detection for this…
Michael
I just received an email w/attachment from "ups-services@ups.com". This address ALMOST fooled me, but the attachment was my first red flag, then after looking back at it just now, I noticed "Fwd"–which I hadn't caught before. The subject line is "Fwd: Wire Transfer (91824MR358)". I have no current dealings with UPS, other than receiving shipments, from vendors primarily. It is still sitting in my spam folder, and I intend to delete it without looking after reading this thread. Thanks!