Author Archives: Derek

FW: Invoice #733745-2016-03 – JS malware leads to ransomware

Posted on by

Last revised or Updated on: 8th March, 2016, 3:32 PMAn email with the subject of  FW: Invoice #733745-2016-03 [ random numbered]  pretending to come from random names and email addresses  with a zip attachment is another one from the current bot runs which downloads a Locky  Ransomware version They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The alleged sender matches the account manger in the body of the email. The first name of the recipient from the part before the @ in the recipioents email address … Continue reading → Continue reading FW: Invoice #733745-2016-03 – JS malware leads to ransomware

Compensation – Reference Number #242852 – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 8th March, 2016, 12:26 PMAn email with the subject of  Compensation – Reference Number #242852 [ random numbered]  coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the alleged sender matches the name of the sales manager in the body of the email The email looks like: From: Lily Adams <AdamsLily33@haleandheartymovers.com> Date: Tue 08/03/2016 12:00 Subject: Compensation … Continue reading → Continue reading Compensation – Reference Number #242852 – JS malware leads to Locky Ransomware

Order 1307605 (Acknowledgement) rick.adrio@booles.co.uk – word doc macro malware leads to Dridex

Posted on by

Last revised or Updated on: 8th March, 2016, 9:56 AMAn email with the subject of Order 1307605 (Acknowledgement) pretending to come from rick.adrio@booles.co.uk with a malicious word doc or Excel XLS spreadsheet attachment  is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: rick.adrio@booles.co.uk Date: Tue 08/03/2016 09:31 Subject: Order 1307605 … Continue reading → Continue reading Order 1307605 (Acknowledgement) rick.adrio@booles.co.uk – word doc macro malware leads to Dridex

Emailing: 20121005154449756 Gary Atkinson garrardwindows.co.uk – JS malware leads to Dridex

Posted on by

Last revised or Updated on: 8th March, 2016, 9:44 AMAn email with the subject of  Emailing: 20121005154449756 pretending to come from Gary Atkinson <Gary@garrardwindows.co.uk>  with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Gary Atkinson <Gary@garrardwindows.co.uk> Date: Tue 08/03/2016 09:00 Subject: Emailing: 20121005154449756 Attachment: Body content: Please find attached document as requested.   Screenshot: NONE   These malicious attachments normally have a password stealing component, with … Continue reading → Continue reading Emailing: 20121005154449756 Gary Atkinson garrardwindows.co.uk – JS malware leads to Dridex

Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Yorkshire Water – JS malware leads to Dridex

Posted on by

Last revised or Updated on: 8th March, 2016, 9:45 AMAn email with the subject of  PayPay_Advice_Vendor_0000300320_1000_for_03.03.2016 pretending to come from Accounts Payable <vendoramendments@yorkshirewater.co.uk>  with a zip attachment is another one from the current bot runs which downloads Dridex banking Trojan They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Accounts Payable <vendoramendments@yorkshirewater.co.uk> Date: Tue 08/03/2016 08:25 Subject: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Attachment: Pay_Advice_Vendor_0000300320_1000_for_03.03.2016.PDF.ZIP Body content:  —————————————–  Spotted a leak? If you spot a leak please report it immediately. Call us on 0800 57 3553 or go … Continue reading → Continue reading Pay_Advice_Vendor_0000300320_1000_for_03.03.2016 Yorkshire Water – JS malware leads to Dridex

Emailing – IMG_0015.pdf Robert Symon jumboselfstorage.co.uk – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 7th March, 2016, 5:24 PMAn email with the subject of  Emailing – IMG_0015.pdf pretending to come fromRobert Symon <robert@jumboselfstorage.co.uk> with a zip attachment is another one from the current bot runs which  downloads Locky Ransomware . They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Robert Symon <robert@jumboselfstorage.co.uk> Date: Mon 07/03/2016 14:02 Subject: Emailing – IMG_0015.pdf Attachment: IMG_0015.pdf.zip Body content: Totally empty Screenshot: None   These malicious attachments normally have a password stealing component, with the aim of … Continue reading → Continue reading Emailing – IMG_0015.pdf Robert Symon jumboselfstorage.co.uk – JS malware leads to Locky Ransomware

E-Service (Europe) Ltd Invoice No: 10013405 – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 7th March, 2016, 1:17 PMAn email with the subject of   E-Service (Europe) Ltd Invoice No: 10013405 [ random numbered]  pretending to come from Andrew Williams <andrew.williams@eurocoin.co.uk>  with a zip attachment is another one from the current bot runs which downloads LOCKY RANSOMWARE They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Andrew Williams <andrew.williams@eurocoin.co.uk> Date: Mon 07/03/2016 11:39 Subject:  E-Service (Europe) Ltd Invoice No: 10013405  ( random numbers) Attachment: Invoice 10013405.zip Body content: Dear Customer, Please find … Continue reading → Continue reading E-Service (Europe) Ltd Invoice No: 10013405 – JS malware leads to Locky Ransomware

Shipping Information – Your Order #991-8260 – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 7th March, 2016, 12:59 PMAn email with the subject of  Shipping Information – Your Order #991-8260 [ random numbered]  pretending to come from random names and email addresses  with a zip attachment is another one from the current bot runs which downloads Locky ransomware. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The alleged sender matches the name of the project manager or courier service in the body of the email The email looks like: From: Rodrigo Sweet <SweetRodrigo882@richardbienvenu.com> Date: Mon … Continue reading → Continue reading Shipping Information – Your Order #991-8260 – JS malware leads to Locky Ransomware

Your latest DHL invoice : HSC4387902 – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 7th March, 2016, 11:23 AMAn email with the subject of  Your latest DHL invoice : HSC4387902 [ random numbered]  pretending to come from e-billing@dhl.com  with a zip attachment is another one from the current bot runs which downloads Locky ransomware. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: e-billing@dhl.com Date: Mon 07/03/2016 10:53 Subject: Your latest DHL invoice : HSC4387902 Attachment:HSC4387902.zip Body content: THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY Dear Customer, Please find attached … Continue reading → Continue reading Your latest DHL invoice : HSC4387902 – JS malware leads to Locky Ransomware

payment proof SunBeverages – JS malware leads to Locky Ransomware

Posted on by

Last revised or Updated on: 7th March, 2016, 11:00 AMAn email with the subject of  payment proof pretending to come from SunBeverages <Info@sunbeverages.eu>  with a zip attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking Trojans like Dridex or Dyreza and ransomware like Locky, cryptolocker or Teslacrypt. They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: SunBeverages <Info@sunbeverages.eu> Date: Mon 07/03/2016 09:42 Subject: payment proof Attachment: 169990489_0492729.zip  ( random numbers) Body content: Please … Continue reading → Continue reading payment proof SunBeverages – JS malware leads to Locky Ransomware