Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Fake Shipping Notification Email Messages on December 4, 2013

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:30628
Version:24
First Published:2013 September 03 14:54 GMT
Last Published:2013 December 05 15:04 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:Cisco Security Intelligence Operations has detected significant activity on December 4, 2013.
 

Description
 
Security Intelligence Operations has detected significant activity related to spam email messages that claim to contain a shipping notification for the recipient. The text in the email message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Email messages that are related to this threat (RuleID6977, RuleID6977_1KVR, RuleID6977KVR, and RuleID6977_2KVR) may contain the following files:

PRCLBXNJJNLBCC.zip
PCL3882-199HH.exe
PRCL9Z51HD6AMT.zip
NTFY9932HG637.exe
PRCLED1HFPCD7I.zip
PAR28849HHL02.exe
PRCL9SJW9DXNZM.zip
PKG664HHSG28.exe
PRCL5HLV0VKAM8.zip
PRCL388JSL993.exe
PRCLZD2Q4WP8SA.zip
PKG7748HHDJ34.exe
PRCL8H25SM8IEJ.zip
TRSACT7738JJL3849.exe
PRCLC5246SXGJU.zip
PARCEL37748HHAK92.exe
PRCLHRIO6648NJ.zip
PRCL3885992JJDK322.exe
PRCLP5JDU75RNQ.zip
PKG377HHSJ293.exe
PRCLD0MA5SF137.zip
PRCL3648HDH393J38.exe
PRCLFHUEA5DMNI.zip
PKG37DHH38-399.exe
PRCLKZVR7JH3LV.zip
PRCL30042-HFK30.exe
PRCLDRICCJQJB0.zip
PKG3994-HF3820.exe
PRCLFXRZTLEXNM.zip
PRCL-NO-HDHH377290001.exe
PRCL24WAPHN767.zip
PRCL-NO-332JK39.exe
PRCLJWG979ZYVH.zip
PRCL299HDJ3453.exe
PKGS54Y4HUOJ8.zip
PKG399029-HDG394.exe
PKGEBYDQ3L5FK.zip
PKG3994-399430.exe
productimages.zip
productimages.exe
OriginalReceipt.zip
OriginalReceipt.exe
SecureMessage.zip<
SecureMessage.exe
fax01001544931.zip
fax0101_08102013.exe
VoiceATT2077423.zip
VoiceMessageTT.exe
specification.zip
specification.exe
productsample.zip
productsample.exe
Catalog2013Nov.zip
File527826.exe
orderlist928793.zip
orderlist928793.exe
PurchaseOrder.zip
PurchaseOrder.exe
04122013JBGOAL.zip
04122013JBGOAL.exe

The PCL3882-199HH.exe file in the PRCLBXNJJNLBCC.zip attachment has a file size of 339,456 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2D20597C21966AB75183014DE0CC7A36

The NTFY9932HG637.exe file in the PRCL9Z51HD6AMT.zip attachment has a file size of 351,957 bytes. The MD5 checksum is the following string: 0x43D6D59B04171959FCC6CF12D84DBC47

The PAR28849HHL02.exe file in the PRCLED1HFPCD7I.zip attachment has a file size of 342,016 bytes. The MD5 checksum is the following string: 0xA6318999F39F9F8B77A1D2184DE664A0

The PKG664HHSG28.exe file in the PRCL9SJW9DXNZM.zip attachment has a file size of 335,872 bytes. The MD5 checksum is the following string: 0xB2D2C695FD5EA3A42DBEBC345325103F

The PRCL388JSL993.exe file in the PRCL5HLV0VKAM8.zip attachment has a file size of 343,765 bytes. The MD5 checksum is the following string: 0x41D14F3719803D64C3E17F8BA2F8FF34

The PKG7748HHDJ34.exe file in the PRCLZD2Q4WP8SA.zip attachment has a file size of 335,360 bytes. The MD5 checksum is the following string: 0xB433660E7129B74BB65ACCC73DA85F9A

The TRSACT7738JJL3849.exe file in the PRCL8H25SM8IEJ.zip attachment has a file size of 347,861 bytes. The MD5 checksum is the following string: 0x5B5F29A0715A8647B86E858D88DD0A37

The PARCEL37748HHAK92.exe file in the PRCLC5246SXGJU.zip attachment has a file size of 381,141 bytes. The MD5 checksum is the following string: 0x6979AFF1C546FE00008CA087D47EFA86

The PRCL3885992JJDK322.exe file in the PRCLHRIO6648NJ.zip attachment has a file size of 327,680 bytes. The MD5 checksum is the following string: 0x8FF7B91990F2926DF5A320B6BA4D0152

The PKG377HHSJ293.exe file in the PRCLP5JDU75RNQ.zip attachment has a file size of 344,064 bytes. The MD5 checksum is the following string: 0x9159240DDAD044BEDC8E6D15F6CA5268

The PRCL3648HDH393J38.exe file in the PRCLD0MA5SF137.zip attachment has a file size of 347,861 bytes. The MD5 checksum is the following string: 0xBCB0D2A4A18E773D8C200B300AC08702

The PKG37DHH38-399.exe file in the PRCLFHUEA5DMNI.zip attachment has a file size of 344,064 bytes. The MD5 checksum is the following string: 0x5A868A44FE8D4BCB9104490E77D90A62

The PRCL30042-HFK30.exe file in the PRCLKZVR7JH3LV.zip attachment has a file size of 323,584 bytes. The MD5 checksum is the following string: 0x319053173A9E05561EB5CC9CD61667A0

The PKG3994-HF3820.exe file in the PRCLDRICCJQJB0.zip attachment has a file size of 335,872 bytes. The MD5 checksum is the following string: 0x032E93D361587ED97F0DED4ED8C2214A

The PRCL-NO-HDHH377290001.exe file in the PRCLFXRZTLEXNM.zip attachment has a file size of 127,488 bytes. The MD5 checksum is the following string: 0x2A4F1DEAB4A8CC91DADA47FD4D4902E0

The PRCL-NO-332JK39.exe file in the PRCL24WAPHN767.zip attachment has a file size of 202,453 bytes. The MD5 checksum is the following string: 0x6B98A33EA7763BD7DE3BCDE5EB296ACB

The Original PRCL299HDJ3453.exe file in the PRCLJWG979ZYVH.zip attachment has a file size of 326,656 bytes. The MD5 checksum is the following string: 0x86759734D02F76B9D3E07F24D13BAABA

The PKG399029-HDG394.exe file in the PKGS54Y4HUOJ8.zip attachment has a file size of 127,488 bytes. The MD5 checksum is the following string: 0x1645F29F12060421F0EB7FAC79E6CEA0

The PKG3994-399430.exe file in the PKGEBYDQ3L5FK.zip attachment has a file size of 346,837 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x9EB89F7D4728E9999B67FD03FFD4287A

The productimages.exe file in the productimages.zip attachment has a file size of 741,376 bytes. The MD5 checksum is the following string: 0x416D08EFB70751775CB4F8AF82101921

The OriginalReceipt.exe file in the OriginalReceipt.zip attachment has a file size of 487,424 bytes. The MD5 checksum is the following string: 0x937BA6442CCB2AEE85BC5BA4576B2B8F

The SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 23,552 bytes. The MD5 checksum is the following string: 0xACB3E31382BABF2065C7CF358A484046

The fax0101_08102013.exe file in the fax01001544931.zip attachment has a file size of 26,624 bytes. The MD5 checksum is the following string: 0x7F4B84A40A7E5F6F6FAB9A2AA277C815

A variant of the productimages.exe file in the productimages.zip attachment has a file size of 676,352 bytes. The MD5 checksum is the following string: 0x33CD71593FCDF2D3292DC84A8CC70CA0

The VoiceMessageTT.exe file in the VoiceATT2077423.zip attachment has a file size of 29,696 bytes. The MD5 checksum is the following string: 0x951A4594DF38B38D73845C4F87BD4B69

A variant of the SecureMessage.exe file in the SecureMessage.zip attachment has a file size of 29,696 bytes. The MD5 checksum is the following string: 0xC44E56EDC2AF3C15E943F3F0654AF845

The specification.exe file in the specification.zip attachment has a file size of 709,632 bytes. The MD5 checksum is the following string: 0xD9C0DD5F80D2564C622E92CE6ACEA733

A variant of the specification.exe file in the specification.zip attachment has a file size of 729,600 bytes. The MD5 checksum is the following string: 0xDB8CC89F2B7855EC99CDA2F94BA3A76F

The productsample.exe file in the productsample.zip attachment has a file size of 193,536 bytes. The MD5 checksum is the following string: 0x1D5F5ABAA6F5CAECB7F845A41D7D47F5

The File527826.exe file in the Catalog2013Nov.zip attachment has a file size of 585,728 bytes. The MD5 checksum is the following string: 0xF468AD85CF8368829221F82A4E6BDD1D

The orderlist928793.exe file in the orderlist928793.zip attachment has a file size of 1,945,910 bytes. The MD5 checksum is the following string: 0x0504687395B78ACA2945FB35377C2317

The PurchaseOrder.exe file in the PurchaseOrder.zip attachment has a file size of 290,105 bytes. The MD5 checksum is the following string: 0x10CD84D38BB455A4066E20A0E1CF8E40

The 04122013JBGOAL.exe file in the 04122013JBGOAL.zip attachment has a file size of 114,688 bytes. The MD5 checksum is the following string: 0xFC85FC24475824C79C6313419F975B91

The following text is a sample of the email message that is associated with this threat outbreak:

Subject: DHL Shipping service notify BXNJJNLBCC

Message Body:

Print the attachment for details.
An extra information:
If the parcel isn`t received within 10 working days we will have the right to claim compensation from you for it`s keeping in the amount of $5.55 for each day of keeping of it.
Thank you for using our service.

Or

Subject: Fwd: DHL Global notify 5HLV0VKAM8

Or

Subject: UPS Delivery report P5JDU75RNQ

Message Body:

UPS Notification
Our company`s courier cann`t make the delivery of parcel.
REASON: Postal code contains an error
DELIVERY STATUS: sort order
SERVICE: Three-day shipping
NUMBER OF parcel: P5JDU75RNQ
FEATURES: No
Read the attached file for details.
An extra information:
If the parcel isn`t received within 10 working days our company will have the right to claim compensation from you for it`s keeping in the amount of $3.33 for each day of keeping of it.
Thank you for using our service.
UPS Global

Or

Subject: Fwd: USPS Delivery notifocation D0MA5SF137

Or

Subject: Fwd: FedEx Shipping service report IUZIXXRKEP

Or

Subject: UPS INC report HA7MFN9CN6

Message Body:

UPS Notification
Our company`s courier couldn`t make the delivery of parcel.
REASON: Wrong postal code
DELIVERY STATUS: sort order
SERVICE: One-day shipping
NUMBER OF parcel: HA7MFN9CN6
FEATURES: No
Read the attachment for details.
An additional information:
If the parcel isn`t received within 10 working days our company will have the right to claim compensation from you for it`s keeping in the amount of $1.11 for each day of keeping of it.
Thank you for using our service.
UPS Global

Or

Subject: UPS Inc. notifocation BBGMHA6HEN

Message Body:

UPS Notification
Our company`s courier cann`t make the delivery of package.
REASON: Wrong postal code
DELIVERY STATUS: sort order
SERVICE: Two-day shipping
NUMBER OF package: BBGMHA6HEN
FEATURES: No
Read the attachment for details.
An additional information:
If the package isn`t received within 5 working days we will have the right to claim compensation from you for it`s keeping in the amount of $4.44 for each day of keeping of it.
Thank you for using our service.
UPS Global

Or

Subject: USPS GLOBAL report S54Y4HUOJ8

Message Body:

USPS Notification
Our company`s courier couldn`t make the delivery of package.
REASON: Postal code contains an error
DELIVERY STATUS: sort order
SERVICE: One-day shipping
NUMBER OF package: S54Y4HUOJ8
FEATURES: No
Open the attached file for details.
An additional information:
If the package isn`t received within 5 working days we will have the right to claim compensation from you for it`s keeping in the amount of $8.88 for each day of keeping of it.
Thank you for using our service.
USPS Global

Or

Subject: New incoming fax

Message Body:

Dear Customer,
You have received a new fax.
Date/Time: 2013:10:08 11:23:08
Number of pages:4
Received from: 800837455
Regards,
FAX

Or

Subject: Re: Sample Attached

Message Body:

Dear Sir/Madam,
I got your contact from one of your customers in my country, He has assured me of high quality standard of your product in KSA. Please attached in this email is the product sample of the exact goods needed. Please view and tell me your lead time and payment terms for the attached product.
Thanks,
Hassan Isa

Or

Subject: Voice Mail Message ( 46 seconds )

Message Body:

This voice message was created by Avaya Modular Messaging. To listen to this voice message,just open it.

Or

Subject: We have received your secure message

Message Body:

Thanks for your secure message.
This is a receipt to let you know we've received your message.
A copy of your message is attached.
Santander will never send you an email asking you to click on a link, or to enter, reconfirm or change your security or card details. We will never ask you to tell us your passwords by email or over the phone.
If you think you may have revealed your security details in any way, please call us immediately on 0845 607 0666
We cant respond directly to any questions via this email address, but all emails are processed, and urgent action is taken against Phishing sites identified.
Regards
Santander Customer Services

Or

Message Body:

Dear Sir
Please find attached invoice for last Order
Please check and confirm so we can do the payment today.
Thank You
Best Regards
FARMSALE MIDDLE LTD.
Tel: +62 33 440442
Fax: +62 12 77662

Cisco Security Intelligence Operations analysts examine real-world email traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global email security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. Email that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam email and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco SenderBase Security Network
 
Alert History
 

Version 23, December 4, 2013, 4:43 PM: Cisco Security Intelligence Operations has detected significant activity on December 3, 2013.

Version 22, November 15, 2013, 3:42 PM: Cisco Security Intelligence Operations has detected significant activity on November 14, 2013.

Version 21, November 12, 2013, 7:01 PM: Cisco Security Intelligence Operations has detected significant activity on November 11, 2013.

Version 20, November 7, 2013, 5:05 PM: Cisco Security Intelligence Operations has detected significant activity on November 6, 2013.

Version 19, October 30, 2013, 5:45 PM: Cisco Security Intelligence Operations has detected significant activity on October 30, 2013.

Version 18, October 28, 2013, 2:46 PM: Cisco Security Intelligence Operations has detected significant activity on October 28, 2013.

Version 17, October 18, 2013, 7:54 PM: Cisco Security Intelligence Operations has detected significant activity on October 18, 2013.

Version 16, October 8, 2013, 5:37 PM: Cisco Security Intelligence Operations has detected significant activity on October 8, 2013.

Version 15, October 7, 2013, 2:45 PM: Cisco Security Intelligence Operations has detected significant activity on October 7, 2013.

Version 14, October 3, 2013, 1:29 PM: Cisco Security Intelligence Operations has detected significant activity on October 2, 2013.

Version 13, September 30, 2013, 6:57 PM: Cisco Security Intelligence Operations has detected significant activity on September 27, 2013.

Version 12, September 23, 2013, 12:51 PM: Cisco Security Intelligence Operations has detected significant activity on September 22, 2013.

Version 11, September 20, 2013, 8:13 PM: Cisco Security Intelligence Operations has detected significant activity on September 20, 2013.

Version 10, September 20, 2013, 2:07 PM: Cisco Security Intelligence Operations has detected significant activity on September 19, 2013.

Version 9, September 18, 2013, 2:08 PM: Cisco Security Intelligence Operations has detected significant activity on September 18, 2013.

Version 8, September 17, 2013, 3:23 PM: Cisco Security Intelligence Operations has detected significant activity on September 17, 2013.

Version 7, September 10, 2013, 3:26 PM: Cisco Security Intelligence Operations has detected significant activity on September 9, 2013.

Version 6, September 9, 2013, 6:17 PM: Cisco Security Intelligence Operations has detected significant activity on September 9, 2013.

Version 5, September 9, 2013, 2:37 PM: Cisco Security Intelligence Operations has detected significant activity on September 9, 2013.

Version 4, September 5, 2013, 4:27 PM: Cisco Security Intelligence Operations has detected significant activity on September 4, 2013.

Version 3, September 4, 2013, 7:20 PM: Cisco Security Intelligence Operations has detected significant activity on September 4, 2013.

Version 2, September 4, 2013, 2:57 PM: Cisco Security Intelligence Operations has detected significant activity on September 3, 2013.

Version 1, September 3, 2013, 2:54 PM: Cisco Security Intelligence Operations has detected significant activity on September 3, 2013.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield