Threat Outbreak Alert: fake electronic invoice e-mail messages

On 16 februari 2012 the Cisco Security Intelligence Operations detected significant activity related to Portuguese-language spam e-mail messages that claim to contain an electronic invoice for the recipient. If Cisco detects these kinds of things, there really is something going on, right. So. Wake-up call anyone?!

So, this one is for everyone that believes that electronic invoicing solves all the problems that we nowadays encounter with paper invoices. And for everyone that ignores that when you automate stuff, you don’t automatically solve problems, you most probably automate them too.

The Cisco E-invoice Outbreak Alert

Cisco Security Intelligence Operations  detected significant activity related to Portuguese-language spam e-mail messages that claim to contain an electronic invoice for the recipient.

The text in the e-mail message attempts to convince the recipient to follow a link to view the invoice. However, the link directs the user to a malicious .zip file containing .com file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID3952) may contain the following file:

boleto.zip
boleto.com

The boleto.com file in the boleto.zip attachment has a file size of 178,176 bytes.  The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x5C9CD5288CCC10697DD7E3141621E182

The following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: Nota FiscalEletra

Message Body:

Esta mensagem refere-se a Nota Fiscal Eletra Nacional de serie/nmero 1/3250 emitida para:
RazSocial: MATECOL MAT ELETRICOS LTDA
CNPJ: 10.331.452/0001-47
Para verificar a autoriza da SEFAZ referente ota acima mencionada,
acesse o sitio hxxp//www.nfe.fazenda.gov.br/portal
Chave de acesso: 13265780081100738459887659200120809283091008
Protocolo: NFe 8765320008038301003797331
Este e-mail foi enviado automaticamente pelo Sistema de Nota Fiscal Eletra (NF-e)

Malicious software installed by files that are distributed via these messages may be related to the Trojan.Win32.Generic family, which has the ability to download malicious files from the Internet and create a start-up registry entry.

The trojan may open a back door on the infected system to communicate with a remote host.  Additionally, the malicious code may attempt to make modifications to the system registry and files.

About the Cisco Security Intelligence Operations

Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide.  This data helps provide a range of information about and analysis of global e-mail security threats and trends.

Cisco IronPort Virus Outbreak Filters protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures.


Related Posts


Comments are closed.