About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Fake Invoice Spam Carries Malware

Thursday, July 24, 2008 at 8:23pm by Craig Schmugar
Craig Schmugar

On July 15, we sent out a Security Advisory including Generic Downloader.ab (MTIS08-131-A).  This covered a Trojan variant that was mass spammed, purporting to be a UPS invoice.  Since then we’ve seen a number of subsequent mass spammings carrying new variants of Spy-Agent.bw, The email message content is similar to the original spam:

———————————-
From: “United Parcel Service”
Subject: [RE] UPS Tracking Number [number]
Body:

Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct.
Please print out the invoice copy attached and collect the package at our office

Your UPS

Attachment: UPS_INVOICE_[number].zip or invoice_[number].zip
———————————-

Over the past 24 hours we’ve seen other spam runs from “Customs Service” with the attachment “Tax_invoice.zip” as well as “Bill_Tax.zip” attachments from “US Customs Service” and “Rechnung.zip” from “WG: Lastschrift [number]“.  The zip attachments contain .EXE files.  In order for infection to occur users must open the attached ZIP and then choose to run the executables manually.

Product coverage is being updated for new malware variants as necessary and a follow-up security advisory will be sent soon.

These spam runs may continue over the next few days.  Avert Labs reminds readers to practice safe computing, and never to open unexpected email attachments, or follow unexpected URLs; especially from unfamiliar senders.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (6)

  • Geoff August 6, 2008 12:59AM

    I’ve been seeing these daily now, and each time McAfee has not detected it until the next day or day after. We really do need to move to a formal twice-daily DAT release so this sort of thing can be picked up.

    Reply
  • Jampa Stewart July 30, 2008 12:39PM

    Today I received the following e-mail similar to the one Jeanne Ross received. It contained an attachment, supposedly with an e-ticket (which I had not ordered); of course I did not open the attachment:

    Good day,
    Thank you for using our new service “Buy flight ticket Online” on our website.
    Your account has been created:

    Your login: infoathealingtaoinstitutedotcom Your password: passC4WR

    Your credit card has been charged for $467.08.
    We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
    Attached to this message is the purchase Invoice and the flight ticket.
    To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

    Kind regards,
    Dave Holbrook
    Southwest Airlines

    Reply
  • Rob July 28, 2008 8:43AM

    I agree with the amount of DATs that are released. It def needs to be done over the weekend and once a day just doesn’t cover it in this sort of scenario

    We had a couple of the UPS ones come in and it wasn’t until the next day till McAfee detected it. By then it was different ones coming in (customs I think it was)

    Reply
  • Geoff July 27, 2008 5:54AM

    Yeah, McAfee have been slow to get these detections into the DATs. Doing one DAT per workday is so 1990s. McAfee needs to start pushing out two per day, 7 days a week.

    Reply
  • Jeanne Ross July 25, 2008 8:06AM

    I received one of the UPS e-mails on Tuesday, and today I received a similar e-mail proporting to be from Delta Airlines. It also has a .zip attachment ( E-ticket_N7399294.zip) and says:
    Good day,
    Thank you for using our new service “Buy flight ticket Online” on our website.
    Your account has been created:

    Your login: Assistant
    Your password: passUTNH

    Your credit card has been charged for $434.62.
    We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
    Attached to this message is the purchase Invoice and the airplane ticket.
    To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

    Kind regards,
    Celeste Humphrey
    Delta Air Lines

    Reply
  • User July 25, 2008 3:10AM

    AVERT were pretty slow with providing detections for these new variants. Any chance you can speed things up?

    Reply