Fake Invoice Spam Carries Malware
Thursday July 24, 2008 at 8:23 pm CST
Posted by Craig Schmugar
On July 15, we sent out a Security Advisory including Generic Downloader.ab (MTIS08-131-A). This covered a Trojan variant that was mass spammed, purporting to be a UPS invoice. Since then we’ve seen a number of subsequent mass spammings carrying new variants of Spy-Agent.bw, The email message content is similar to the original spam:
———————————-
From: “United Parcel Service”
Subject: [RE] UPS Tracking Number [number]
Body:
Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office
Your UPS
Attachment: UPS_INVOICE_[number].zip or invoice_[number].zip
———————————-
Over the past 24 hours we’ve seen other spam runs from “Customs Service” with the attachment “Tax_invoice.zip” as well as “Bill_Tax.zip” attachments from “US Customs Service” and “Rechnung.zip” from “WG: Lastschrift [number]“. The zip attachments contain .EXE files. In order for infection to occur users must open the attached ZIP and then choose to run the executables manually.
Product coverage is being updated for new malware variants as necessary and a follow-up security advisory will be sent soon.
These spam runs may continue over the next few days. Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.
July 25th, 2008 at 03:10
AVERT were pretty slow with providing detections for these new variants. Any chance you can speed things up?
July 25th, 2008 at 08:06
I received one of the UPS e-mails on Tuesday, and today I received a similar e-mail proporting to be from Delta Airlines. It also has a .zip attachment ( E-ticket_N7399294.zip) and says:
Good day,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:
Your login: Assistant
Your password: passUTNH
Your credit card has been charged for $434.62.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Celeste Humphrey
Delta Air Lines
July 25th, 2008 at 10:05
[...] Last night we blogged about fake invoice spam carrying malware. Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving [...]
July 27th, 2008 at 05:54
Yeah, McAfee have been slow to get these detections into the DATs. Doing one DAT per workday is so 1990s. McAfee needs to start pushing out two per day, 7 days a week.
July 28th, 2008 at 08:43
I agree with the amount of DATs that are released. It def needs to be done over the weekend and once a day just doesn’t cover it in this sort of scenario
We had a couple of the UPS ones come in and it wasn’t until the next day till McAfee detected it. By then it was different ones coming in (customs I think it was)
July 30th, 2008 at 12:39
Today I received the following e-mail similar to the one Jeanne Ross received. It contained an attachment, supposedly with an e-ticket (which I had not ordered); of course I did not open the attachment:
Good day,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:
Your login: info@healingtaoinstitute.com Your password: passC4WR
Your credit card has been charged for $467.08.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
Dave Holbrook
Southwest Airlines
August 6th, 2008 at 00:59
I’ve been seeing these daily now, and each time McAfee has not detected it until the next day or day after. We really do need to move to a formal twice-daily DAT release so this sort of thing can be picked up.