Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Malware emails with fake cellphone invoice - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware emails with fake cellphone invoice

"Thank you for ordering from Cellphone Inc" is what the email says ... what it doesn't say is "have a nice day cleaning your infected PC". Reader Scott had just taken his mobile phone to a store for repair, but being the savvy security specialist, he was still suspicious when he got the following email shortly thereafter

Thank you for ordering from Cell Phone Inc.

This message is to inform you that your order has been received
and is currently being processed.

Your order reference is Cell Phone Inc. You will need this in all correspondence.
This receipt is NOT proof of purchase. We will send a printed invoice by mail to your billing address.

You have chosen to pay by credit card. Your card will be charged for the amount
of 629.99 USD and "Cell Phone Inc." will appear next to the charge on your statement.
Your purchase information appears below in the file.

Cell Phone Inc.


Turns out of course that this email had nothing to do with Scott's phone, it is just the latest malware scam. The email comes with a PDF attachment that - at current count - tries to exploit collab.getIcon, media.newPlayer, collab.collectEmailInfo and util.printf -- all rather "old" Adobe Acrobat vulnerabilities, but apparently still "good enough" for the bad guys to warrant a new spam run.

The PDF's guts are obfuscated JavaScript, as usual, and currently showing up with a lousy 2/43 on the Virustotal radar

Keep your users from clicking ... and keep up with those pesky almost-feels-like-weekly Adobe updates!

 

Daniel

367 Posts
ISC Handler
So, perfect time from the spammers side.. Did Scott complain about his mobile phone on Social Media? Did he also publish his e-mail address there? Are spammers into datamining?!
;-)
dotBATman

63 Posts
What was the Subject line text? Also once infected, are there any known malicious IPs/domains that we can search logs for?
dotBATman
2 Posts
Subject here looked like:

Your Order No 152476 - Cell Phone Inc.
dotBATman
2 Posts
@matsaki, the subject varies by sample, is usually "Your Order No #####, Cell Phone Inc." In the PDF that I analyzed, the subsequent EXE download came from kawabungashop-dot-ru
Daniel

367 Posts
ISC Handler
Sender info

katie at choicewastemanagement.com
mail7.hostek.com
216.198.218.137
Daniel
2 Posts

Sign Up for Free or Log In to start participating in the conversation!