Recent Email Threats

We have seen several recent SPAM attacks that have had compromised .doc attachments. Our Barracuda mail filter is constantly updating our virus definitions and creating new signatures to combat these attacks, but emails do occasionally make their way through the filter. Please be vigilant and do not open suspicious looking emails that you are not expecting. Should you see either of the examples below DO NOT open the attachment; delete the email immediately.  If you suspect that a PC has been compromised by this attack, immediately disconnect it from your network and run an anti-virus or anti-spyware utility (e.g., Trend Micro, Symantec, McAfee). Using a known safe PC, login to all online accounts you suspect may be compromised and change passwords.

Email:

2/17/15

Fake LogMeIn virus spam email claims you purchased a yearly plan, your credit card has been charged, and the receipt is attached.

Attached .doc file has malicious macro to download malware.

Email Subject: Your LogMeIn Pro payment has been processed!  

Email Content:

Dear client, Thank you for purchasing our yearly plan for LogMeIn Pro on 25 computers. Your credit card has been successfully charged. Date : 17/2/2015 Amount : $999 ( you saved $749.75) The transaction details can be found in the attached receipt. Your computers will be automatically upgraded the next time you sign in. Thank you for choosing LogMeIn!    logmein_pro_receipt.doc (95)

 

Attachment: logmein_pro_receipt.doc

If you would try to open the attachment it would look similar to this and ask you to enable macros (if not already enabled). If macros are enabled it will download an install.exe with malware.

 

Payload The attachment is a Microsoft Word document (MD5 = cf9443e43b990077a3862aa4f9337fb2) containing macros which download the “Chanitor” downloader (MD5 = dc7740f2ac76b8c5dccf686ad5fd0c05) which downloads Gozi/NeverQuest/Vawtrack malware (MD5 = 9b7f7921f8c089016c86628112ff1618).

 

 

Email:

2/16/15

Fake SalesForce virus spam email claims you purchased a yearly plan, your credit card has been charged, and the receipt is attached.

Attached .doc file has malicious macro to download malware.

Purported Sender no-reply@salesforce.com

Spoofed Origin Email no-reply@salesforce.com

Email Subject Payment confirmation – credit card charged

Email Content Dear user, Thank you for purchasing Salesforce Performance Plus plan. This message is a confirmation that your credit card has been charged. Service: Salesforce Performance Plus Date: 16/2/2015 Amount: 1600 USD Transaction # 7891048 For more information regarding this payment, please check the attached merchant receipt. Note: This payment will appear on your statement as “SalesForce AUTH #7891048” Thank you.

Attachment:

If you would try to open the attachment it would look similar to this and ask you to enable macros (if not already enabled). If macros are enabled it will download an install.exe with malware.