{"id":13606,"date":"2013-07-25T00:00:22","date_gmt":"2013-07-25T07:00:22","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=12150"},"modified":"2018-10-05T12:48:43","modified_gmt":"2018-10-05T18:48:43","slug":"fake-copy-of-vodafone-u-k-contractyour-monthly-vodafone-bill-is-readynew-mms-received-themed-emails-lead-to-malware","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/07\/25\/fake-copy-of-vodafone-u-k-contractyour-monthly-vodafone-bill-is-readynew-mms-received-themed-emails-lead-to-malware\/","title":{"rendered":"Fake &#8216;Copy of Vodafone U.K Contract\/Your Monthly Vodafone Bill is Ready\/New MMS Received&#8217; themed emails lead to malware"},"content":{"rendered":"<p>Cybercriminals continue targeting U.K based Internet users in an attempt to trick them into thinking that they&#8217;ve received a legitimate email from <a href=\"http:\/\/blog.webroot.com\/tag\/vodafone\/\"><strong>Vodafone<\/strong><\/a> U.K. We&#8217;ve intercepted two, currently circulating, malicious spam campaign that\u00a0once again impersonate Vodafone U.K, this time relying on a bogus &#8220;<em>Copy of Vodafone U.K<\/em>&#8221; themed messages, the ubiquitous &#8216;<em>MMS Message Received<\/em>&#8216; campaign, as well as the most recent &#8216;<em>Your Monthly Vondafone Bill is Ready<\/em>&#8216; theme.<\/p>\n<p>More details:<\/p>\n<p><!--more--><\/p>\n<p><strong>Sample screenshots of the spamvertised emails:<\/strong><\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/07\/vodafone_uk_united_kingdom_fake_contract_shop_email_spam_spamvertised_malicious_software_malware_social_engineering1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-12152\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/07\/vodafone_uk_united_kingdom_fake_contract_shop_email_spam_spamvertised_malicious_software_malware_social_engineering1.png\" alt=\"Vodafone_UK_United_Kingdom_Fake_Contract_Shop_Email_Spam_Spamvertised_Malicious_Software_Malware_Social_Engineering\" width=\"576\" height=\"145\" \/><\/a><\/p>\n<p><a style=\"font-family: Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 16px; font-style: normal; font-variant: normal; text-align: center;\" href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/07\/fake_email_spam_spamvertised_malware_malicious_software_social_engineering_vodafone_uk_united_kingdom_your_bill_is_ready1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-12164\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2013\/07\/fake_email_spam_spamvertised_malware_malicious_software_social_engineering_vodafone_uk_united_kingdom_your_bill_is_ready1.png\" alt=\"Fake_Email_Spam_Spamvertised_Malware_Malicious_Software_Social_Engineering_Vodafone_UK_United_Kingdom_Your_Bill_Is_Ready\" width=\"566\" height=\"566\" \/><\/a><\/p>\n<p><strong>Detection rates for the spamvertised malicious attachments:<\/strong><br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/4e0a712b7d53889c742d9d6f2211ffc3b0c3097d42c9b367939511c06a522b11\/analysis\/\"><strong>MD5: a5bdeaadb002e12a38c9d354097f9a9a<\/strong><\/a> &#8211; detected by 30 out of 46 antivirus scanners as Backdoor.Win32.Androm.aehi; TrojanDownloader:Win32\/Dofoil.R.<br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/3d63185e1191bfef0e3f04d19dc6ab83b42b12693f1a3d64e424f1990a07c0aa\/analysis\/\"><strong>MD5: 6aeacb54d57cddff1b1b39d2d3b32140<\/strong><\/a> &#8211; detected by 6 out of 47 antivirus scanners as Artemis!6AEACB54D57C; UDS:DangerousObject.Multi.Generic.<br \/>\n<a href=\"https:\/\/www.virustotal.com\/en\/file\/eba74d086dbed0ec15be6378f35b5e86c274c14643ffc23ea13fd63053d73ee1\/analysis\/1374587810\/\"><strong>MD5: 3965d6f027812306ea953dbd0ac0bce0<\/strong><\/a> \u2013 detected by 6 out of 47 antivirus scanners as Heuristic.BehavesLike.Win32.ModifiedUPX.C; Trojan\/Win32.Tepfer.<\/p>\n<p>The last sample marks its presence on the affected systems through the following Mutexes:<br \/>\n<em>CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004<\/em><br \/>\n<em>0B298A164743E1643757A7223C7E2D3470144646<\/em><\/p>\n<p><strong>All of these samples phone back to the same C&amp;C server:<\/strong><br \/>\n<em>hxxp:\/\/37.139.47.159\/fexco\/com\/index.php<\/em> (37-139-47-159.clodo.ru, AS56534)<\/p>\n<p><strong><a href=\"https:\/\/www.webroot.com\/us\/en\/home\/products\/complete\">Webroot\u00a0SecureAnywhere<\/a><\/strong>\u00a0users are proactively protected from these threats.<\/p>\n<p><em>You can find more about Dancho\u00a0Danchev at his\u00a0<strong><a href=\"http:\/\/linkedin.com\/in\/danchodanchev\">LinkedIn Profile<\/a><\/strong>. You can also\u00a0<strong><a href=\"http:\/\/www.twitter.com\/danchodanchev\">follow him on Twitter<\/a><\/strong>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals continue targeting U.K based Internet users in an attempt to trick them into thinking that they&#8217;ve received a legitimate email from Vodafone U.K. We&#8217;ve intercepted two, currently circulating, malicious spam campaign that\u00a0once again impersonate Vodafone U.K, this time relying on a bogus &#8220;Copy of Vodafone U.K&#8221; themed messages, the ubiquitous &#8216;MMS Message Received&#8216; campaign, [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[14777,14771,14763,15659,15655,4811,3871,3881,5257,15663,4065,5717,4603,3875,5721,5883,12529,3529,11999,12759],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/13606"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=13606"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/13606\/revisions"}],"predecessor-version":[{"id":25707,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/13606\/revisions\/25707"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=13606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=13606"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=13606"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=13606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}