The Comodo Antispam Labs (CASL) team has identified a malware attack targeted specifically at businesses and consumers who may use UK Mail, the United Kingdom’s largest independent postal operator.
As part of a random phishing campaign, the fake emails are being sent from the address firstname.lastname@example.org – which to a business or consumer could appear to be a legitimate email address, but it is not.
The email is designed to trigger the spread of malware and infect computers, workstations and mobile devices that access the email – grabbing the attention of UK Mail users by saying that the company was unable to deliver a package or parcel for them. Since the fake package could not be delivered, recipients are asked to print up an attached document and take it to their local postal location for delivery of the package.
When the intended recipient opens the document attached to the email, a malware file that is a variant of the Dridex Trojan is downloaded to the users endpoint. Dridex is a morphed banking malware which leverages macros in Microsoft Office documents to infect systems. Once infected, the malware tries to steal information from browser history – including financial records and banking statements.
The Comodo Antispam Labs team identified the UK Mail phishing email through IP, domain, and URL analysis.
“As a company, we work diligently in creating innovative technology solutions that stay a step ahead of the cyber criminals, and keep enterprises and IT environments safe,” said Fatih Orhan, Director of Technology for Comodo and the Comodo Antispam Labs.
The Comodo Antispam Labs team is made up of more than 35 IT security professionals, ethical hackers, computer scientists and engineers, all full time Comodo employees, analyzing and filtering spam, phishing and malware from across the globe. With offices in the US, Turkey, Ukraine, the Philippines and India, the CASL team analyzes more than 1,000,000 potential pieces of phishing, spam or other malicious/unwanted emails per day, using the insights and findings to secure and protect its current customer base and the at-large public, enterprise and Internet community.
Included below is a sample of one of the actual emails being sent.
For the System IT Administrators who think their IT may be susceptible to the fake email, the domain and other key pieces of information pulled from the phishing email are also below, to help in their IT defenses.
ACTUAL EMAIL INTERCEPTED
Domain Name: bigpondhosting.com
Updated Date: 2015-07-17T16:22:00Z
Creation Date: 2003-07-29T02:29:50Z
Registrar Registration Expiration Date: 2016-07-29T02:29:50Z
Registrant City: Melbourne
Registrant State/Province: VIC
Registrant Postal Code: 3000
Registrant Country: AU
Registrant Email: email@example.com
NOTE FROM CASL: this domain belongs to a hosting service, and it is probable that someone got a service in the subdomain “xsnoiseccs” and put the malicious file and email in that path.