EXE-in-ZIP – Page 15 – WindowsTechs.com

Attached document(s) Afifa Shohab – JS malware

Posted on March 24, 2016 by Myonlinesecurity

Last revised or Updated on: 24th March, 2016, 1:45 PMAn empty blank email with the subject of Attached document(s) pretending to come from Afifa Shohab <afifashohab4650@gmail.com> with a zip attachment is another one from the current bot runs which downloads They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Afifa Shohab has not been hacked or had his or her email or other servers compromised. Hs or She is not sending the emails to you. He or She is just an innocent victim in exactly the same way as every recipient of … Continue reading → Continue reading Attached document(s) Afifa Shohab – JS malware→

Monica Schiavone Fattura N.: 6284053/F del 23/03/2016 – JS malware

Posted on March 24, 2016 by Myonlinesecurity

Last revised or Updated on: 24th March, 2016, 12:34 PMAn Italian language email with the subject of Fattura N.: 6284053/F del 23/03/2016 [ random numbered] pretending to come from Monica Schiavone <monica@formaefunzione.com> with a zip attachment is another one from the current bot runs which downloads They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. Monica Schiavone monica@formaefunzione.com has not been hacked or had her email or other servers compromised. She is not sending the emails to you. She is just an innocent victim in exactly the same way as every recipient of … Continue reading → Continue reading Monica Schiavone Fattura N.: 6284053/F del 23/03/2016 – JS malware→

Contract ID 95669 has been terminated – JS malware leads to Teslacrypt

Posted on March 23, 2016 by Myonlinesecurity

Last revised or Updated on: 23rd March, 2016, 2:18 PMAn email with the subject of Contract ID 95669 has been terminated [ random numbered] pretending to come from random names and senders with a zip attachment is another one from the current bot runs which downloads Teslacrypt ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: Random names and email addresses Date: Wed 23/03/2016 13:07 Subject: Contract ID 95669 has been terminated Attachment: confirm_87844607.zip Body content: Dear Customer, We … Continue reading → Continue reading Contract ID 95669 has been terminated – JS malware leads to Teslacrypt→

FW: Order RF#535656 – js malware leading to Locky ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 8:41 PMAn email with the subject of FW: Order RF#535656 [ random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the alleged sender ( who isn’t sending them ) matches the name in the body of the email. The attachment name is created by using part of the recipients … Continue reading → Continue reading FW: Order RF#535656 – js malware leading to Locky ransomware→

Voicemail from 07730881627 00:00:24 SureVoIP – JS malware leads to #Locky ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 8:18 PMAn email with the subject of Voicemail from 07730881627 <07730881627> 00:00:24 pretending to come from SureVoIP <voicemailandfax@surevoip.com> with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: SureVoIP <voicemailandfax@surevoip.com> Date: Subject: Voicemail from 07730881627 <07730881627> 00:00:24 Attachment: Body content: Message From “07730881627” 07730881627 Created: Tue, 22 Mar 2016 23:00:09 +0300 Duration: 00:00:24 Account: 9995@123carfinance.hosted.surevoip.com Screenshot: These malicious … Continue reading → Continue reading Voicemail from 07730881627 00:00:24 SureVoIP – JS malware leads to #Locky ransomware→

Message from KMBT_C224 pretending to come from copier at your own domain – JS malware leads to Locky ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 6:32 PMAn empty / blank email with the subject of Message from KMBT_C224 pretending to come from copier at your own domain with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: copier@victimdomain.tld Date: Tue 22/03/2016 18:07 Subject: Message from KMBT_C224 Attachment: SKMBT_C4335050508359.zip Body content: totally blank Screenshot: These malicious attachments normally have a password stealing component, with … Continue reading → Continue reading Message from KMBT_C224 pretending to come from copier at your own domain – JS malware leads to Locky ransomware→

You are being accused with bodily injury (Case: 02172723) – JS malware leads to #ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 2:24 PMAn email with the subject of You are being accused with bodily injury (Case: 02172723) [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads what looks like Teslacrypt ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: random names & email addresses Date: Tue 22/03/2016 12:19 Subject: You are being accused with bodily injury (Case: 02172723) Attachment: … Continue reading → Continue reading You are being accused with bodily injury (Case: 02172723) – JS malware leads to #ransomware→

random statements from random senders – JS malware leads to Locky Ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 10:29 AMAn email with the subject of FW: Statement S#327763 [ random numbered] pretending to come from random names and email addresses with a zip attachment is another one from the current bot runs which downloads Locky Ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The name of the alleged sender ( who isn’t sending them ) matches the name in the body of the email. The attachment name is created by using part of the recipients … Continue reading → Continue reading random statements from random senders – JS malware leads to Locky Ransomware→

credit note from random companies – JS malware leads to ransomware

Posted on March 22, 2016 by Myonlinesecurity

Last revised or Updated on: 22nd March, 2016, 7:20 AMAn email with the subject of Credit Note CN-73290 from On Semiconductor Corp for [redacted] (0312) pretending to come from Accounts <message-service@post.xero.com> with a zip attachment is another one from the current bot runs which downloads some sort of ransomware They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. These don’t look like either Locky or Teslacrypt ransomware so it appears that another gang of bad actors are using the same email templates as the 2 prolific malspammers … Continue reading → Continue reading credit note from random companies – JS malware leads to ransomware→

Your account ID:98938 has been suspended. – JS malware leads to teslacrypt

Posted on March 21, 2016 by Myonlinesecurity

Last revised or Updated on: 21st March, 2016, 5:45 PMAn email with the subject of Your account ID:98938 has been suspended. [ random numbered] coming from random names and email addresses with a zip attachment is another one from the current bot runs which downloads teslacrypt They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers. The email looks like: From: random email addresses Date: Beatriz gepp <geppBeatriz957@jjdior.com> Subject: Your account ID:98938 has been suspended. Attachment: warning_letter_34692556.zip Body content: Your bank account associated with the ID:98938 has been … Continue reading → Continue reading Your account ID:98938 has been suspended. – JS malware leads to teslacrypt→