Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Threat Outbreak Alert

Threat Outbreak Alert: Fake Western Union Payment Slip Attachment E-mail Messages on December 14, 2012

 
Threat Type:IntelliShield: Threat Outbreak Alert
IntelliShield ID:27374
Version:4
First Published:2012 November 07 10:47 GMT
Last Published:2012 December 14 15:10 GMT
Port: Not available
Urgency:Possible use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Cisco Security Intelligence Operations has detected significant activity on December 14, 2012.
 

Description
 
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a Western Union payment slip for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the invoice. However, the attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID4775, RuleID4775KVR, and RuleID4907KVR) may contain the following files:

Westernunionslip1_pdf.zip
Westernunionslip1_pdf.exe
informatie.zip
domeininformatie_november_info_2012_EO234DF123DBWC9368FE7439F87G38934U7829UYF
G763DSI623FDG8WEDFQWU37289R2F3DUIQO8DOGCG.exe

belangrijke_informatie_6WE78YFU9EF7TF657W67768WHEJYFGH65RW756DYHJW7E6BD56W
576FYEG7F6HTDF34565689GID9G8HD56TR76F5WE6DW_info_2012.exe

belangrijke_informatie.zip
belangrijke_informatie_03945T8Y49RUFHG3Y7F8UIUH365GT748FI9U3B5H7498EJT5GBY68R9V37Y8HU_info_2012.exe

The Westernunionslip1_pdf.exe file in the Westernunionslip1_pdf.zip attachment has a file size of 449,838 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x04827C30B27B248E24D7B303E958AF54

The domeininformatie_november_info_2012_EO234DF123DBWC9368FE7439F87G38934U7829UYFG7
63DSI623FDG8WEDFQWU37289R2F3DUIQO8DOGCG.exe
file in the informatie.zip attachment has a file size of 480,768 bytes. The MD5 checksum is the following string: 0x9764B0D6BA55C91EDB8E7F25FE0EC845

The belangrijke_informatie_6WE78YFU9EF7TF657W67768WHEJYFGH65RW756DYHJW7E6BD56W57
6FYEG7F6HTDF34565689GID9G8HD56TR76F5WE6DW_info_2012.exe
file in the informatie.zip attachment has a file size of 412,160 bytes. The MD5 checksum is the following string: 0x0C2AC09CDD797E3BEA85C71025F6DDAA

The belangrijke_informatie_03945T8Y49RUFHG3Y7F8UIUH365GT748FI9U3B5H7498EJT5GBY68R9V37Y8HU_info_2012.exe file in the belangrijke_informatie.zip attachment has a file size of 484,864 bytes. The MD5 checksumis the following string: 0x5DFDDEE4AC7D0793652C4229F797AD7D

The following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: Message copied from system quarantine

Message Body:

WESTERN UNION HEAD OFFICE DEPARTMENT REPUBLIC OF BENIN. FOREGN CONTRACTOR PAYMENT OFFICE TELEPHONE : WEB www.westernunion.com
Attention: Beneficiary of Fund,
After our executive meeting yesterday with our board of Directors, We came into a conclusion that your inheritance fund of $500.000.00 (Five Hundred Thousand United State Dollars) should only be Transferred to you through our WESTERN UNION MONEY TRANSFER OFFICE.
In addition to this, We have decided to give all our customers Mid Year bonanza starting from today till 30th of next month by reducing the transfer rate from the big amount to small amount. Your first payment has been approve for you to pick up now without remitting any fee, also note that all required fee has been settle by the federal government so you don't have to pay any fee.
Below is the payment of $5,000 that was sent to you through Western Union Money Transfer, all you have to do now is Download the Attached File to view the Western Union payment slip of your MTCN, Do not waste any much time to catch the first payment at the bank today.
You are advised to download the Western Union Payment Slip to view the Money Transfer Control Number, that you will use to you will use to pick up the first payment of $5,000 from the Bank today.

For a better Downlaod and clearer View of the Western Union Payment Slip, You are advised to use the Mozilla Firefox Or Google chrome to download the Western Union Slip.
We will be ready to issue out the second payment as soon as you catch the first payment below.
Payment approve for pick up today.

Thank you
Western Union®_
Welcome to Western Union _
Send Money Worldwide_

Or

Subject: antwoorden

Message Body:

Informatie over uw verzoek bevestigd met deze e-mail!
Met vriendelijke groet, Katia.

Or
Subject: factuur

Message Body:

Informatie over uw verzoek bevestigd met deze e-mail!
Met vriendelijke groet, Natasha.
Or

Message Body:

Informatie over uw verzoek bevestigd met deze e-mail!
Met vriendelijke groet, Nastya.

Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.

Related Links
Cisco Security Intelligence Operations
Cisco Threat Operations Center
Cisco SenderBase Security Network
 
Alert History
 

Version 3, November 13, 2012, 11:30 AM: Cisco Security Intelligence Operations has detected significant activity on November 12, 2012.

Version 2, November 7, 2012, 5:15 PM: Cisco Security Intelligence Operations has detected significant activity on November 7, 2012.

Version 1, November 7, 2012, 6:47 AM: Cisco Security Intelligence Operations has detected significant activity on November 6, 2012.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldThreat Outbreak Alert Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield