ThreatTrack Security - Malicious Spam Alerts
Salesforce Security Update Spam

Subjects Seen:

  1. October 17, 2014 SalesForce Security Update

Typical e-mail details:

Dear client,

You are receiving this notification because your Salesforce SSL certificate has expired.
In order to continue using Salesforce.com, you are required to update your digital certificate.

Download the attached certificate. Update will be automatically installed by double click.

According to our Terms and Conditions, failing to renew the SSL certificate will result in account suspension or cancelation:
salesforce.com/company/privacy/security.jsp

Thank you for using Salesforce.com

Malicious File Name and MD5:

  1. cert_update.zip (62D6A2008694D2ED0A7034C5C72AF5D4)
  2. cert_1710.scr (F3502C8E705ACADA509EFE0A1BCE25C5)
WhatsApp Spam

Subjects Seen:

  1. Voice Message Notification

Typical e-mail details:

You have a new voicemail!

Details:

Time of Call: Oct-13 2014 06:02:04
Lenth of Call: 07sec

Malicious URLs:

  1. p30medical.com/dirs.php?rec=LLGIAmEUFLipINmiPz4S0g

Malicious File Name and MD5:

  1. VoiceMail.zip (713A7D2A9930B786FE31A603CD06B196)
  2. VoiceMail.exe (2B7E9FC5A65FE6927A84A35B5FEAC062)
Australian Taxation Office Refund Spam

Subjects Seen:

  1. Australian Taxation Office - Refund Notification

Typical e-mail details:

IMPORTANT NOTIFICATION

Australian Taxation Office - 08/10/2014

After the last calculation of your fiscal activity we have determined that you are eligible to receive a refund of 2398.43 AUD.

For more details please follow the steps bellow :
- Right-click the link on the attachment name, and select Save Link As, Save Target As or a similar option provided.
- Select the location into which you want to download the file and choose Save.
- Unzip the attached file.

Ingrid Warren,
Tax Refund Department
Australian Taxation Office

Malicious File Name and MD5:

  1. ATO_TAX_419771083.zip (EBE4991F3C1C4B00E3E8662577139F3E)
  2. ATO_TAX_419771083.pdf.scr (A89CD5ACAB413D308A565B21B481A2F8)
Santander Bill Pay Spam

Subjects Seen:

  1. Info from SantanderBillpayment.co.uk

Typical e-mail details:

Thank you for using BillPay. Please keep this email for your records.

The following transaction was received on 3 October 2014 at 07:16:37.

Payment type:          VAT
Customer reference no: 1839250
Card type:            Visa Debit
Amount:                GBP 4,107.00

For more details please check attached payment slip.

Your transaction reference number for this payment is IR1839250.

Please quote this reference number in any future communication regarding this payment.

Yours sincerely,

Banking Operations

Malicious File Name and MD5:

  1. santander_bill_payment.zip (8921BC65793D3469FB229463A524E296)
  2. santander_bill_payment.pdf.exe (6C6AC38FD9BE78902E10552DBE89ECB7)
Bill.com Spam

Subjects Seen:

  1. Payment Details [Incident: 711935-599632]

Typical e-mail details:

We could not process your Full Payment Submission. The submission for reference ***/UT5236489 was successfully received and was not processed. Check attached copy (PDF Document) for more information.

Regards,

Bill.com Payment Operations

Malicious File Name and MD5:

  1. bill_com_Payment_Details_711935-599632.zip (02EE805D1EACD739BEF4697B26AAC847)
  2. bill_com_payment_details_ID0000012773616632715381235.pdf.exe (AD24CD2E14DCBF199078BDBBAE4BF0CA)
Sage Software Invoice Spam

Subjects Seen:

  1. Outdated Invoice

Typical e-mail details:

You have an outdated invoice from Sage Accounting that is ready for payment. To find out more details on this invoice, please follow the link bellow or click here to view/download your account invoice:

invoice.sage.co.uk/Account?705003=Invoice_092514.zip

If we hold any information about you which is incorrect or if there are any changes to your details please let us know by so that we can keep our records accurate and up to date. If you would like to update your records or see a copy of the information that we hold about you, you can contact us at Data Protection Officer, Sage (UK) Ltd, North Park, Newcastle-upon-Tyne, NE13 9AA or by email to digital@ sage.com. If you request a copy of your information you will need to pay a statutory fee which is currently £10.

Malicious URLs:

  1. shetabweb.com/berwkbumcj/qgbxneidva.html

Malicious File Name and MD5:

  1. Invoice_09252014.zip (161E77B39D3613FA03649A2C0F6F846D)
  2. Invoice_09252014.scr (59D9B8FA3610977B80C70F730319BF2C)
American Express Home Depot Credentials Phish

image

Subjects Seen:

  1. American Express - Security concern on Data breach at Home Depot

Typical e-mail details:

Dear Customer:

We are writing to you because we need to speak with you regarding a security concern on your account. The Home Depot recently reported that there was unauthorized access to payment data systems at its U.S. stores. American Express has put fraud controls in place and we continue to closely monitor the situation. Our records indicate that you recently used your American Express card on September 19, 2014.
We actively monitor accounts for fraud, and if we see unusual activity which may be fraud, our standard practice is to immediately contact our Card Members. There is no need to call us unless you see suspicious activity on your account.

To ensure the safety of your account , please log on to : americanexpress.com

    Regularly monitor your transactions online at americanexpress.com. If you notice fraudulent transactions, visit our online Inquiry and Dispute Center

    Enroll in Account Alerts that notify you via email or text messages about potentially fraudulent activities.

    Switch to Paperless Statements that are accessible online through your password-protected account.

Your prompt response regarding this matter is appreciated.

Sincerely,
American Express Identity Protection Team

Malicious URLs:

  1. amriban-axtress.com/americanexpress
  2. aserigan-express.com/americanexpress
  3. aderigan-express.com/americanexpress
USAA Insurance Card Spam

image

Subjects Seen:

  1. USAA Policy Renewal - Please Print Auto ID Cards

Typical e-mail details:

Dear Driver,

Thank you for allowing USAA to serve you. Your auto policy will renew June 01, 2014 for your vehicle.

Print your auto ID cards
We’ve also attached new auto insurance IDs cards to this email:

    Open the PDF* attachment.
    Print your ID cards.
    Place them in your vehicle today.

Manage your policy on usaa.com
Remember, you can go to your Account Summary page anytime to:

    View and change your policy coverages and features.
    Add vehicle or drivers to your policy.
    View and print your policy documents, including ID cards.
    File a claim in less than five minutes.
    View or calculate your savings with multi-product savings.

We value your business. Please think of USAA first for all your financial needs.

Thank you,
USAA

P.S. No matter the make, model or year of your vehicle, your opinion can help other USAA members make more informed car-buying decisions. Write a review of your vehicle now.

Malicious File Name and MD5:

  1. id_card.pdf (01F5C573D89495281151B8B80BD72EA3)
NatWest Financial Activity Spam

Subjects Seen:

  1. NatWest Statement

Typical e-mail details:

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It’s available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank

Malicious URLs:

  1. migrantessiena.it/ryvwggvnqq/iqxiwvlgbi.html
  2. merkad.dk/hobqblmdlw/iqgshqbvhy.html

Malicious File Name and MD5:

  1. Invoice102740_448129486142_pdf.zip (AB73E265DD38751BC7A93BB1553E7A17)
  2. Invoice102740_448129486142_pdf.exe (DF72B7AD1FDE2B257E422B8D1C072523)
Line Voice Message Spam

Subjects Seen:

  1. You have a voice message

Typical e-mail details:

LINE Notification

You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec

Malicious URLs:

  1. iagentnetwork.com/sql.php?line=gA7EF9bA7ns68jJ0eBi8ww

Malicious File Name and MD5:

  1. LINE_Call_<phone number>.zip (7FC6D33F62942B55AD94F20BDC7A3797)
  2. LINE_Call_<phone number>.exe (C3E0F4356A77D18438A38110F8BD919E)