PAYVE - Remit file - Fake American Express email with virus attached

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email:

This is a fake email that looks like it comes American Express, claiming that a payment to your company has been processed through the American Express Payment Network.

This is THE payvesupport scam that started them all. Other emails in the spoofed payvesupport@ aexp.com series:

Some versions have envelope spoofing from fiserv.com.

All the links go to American Express, but the attachment is a virus. The zip file CD092898.088164269892.zip is actually CD092898.098209832098.exe (In the versions I got.)


Subject: PAYVE - Remit file

A payment(s) to your company has been processed through the American Express Payment Network.
The remittance details for the payment(s) are attached (CD0199381.583675386201.zip).

- The remittance file contains invoice information passed by your buyer.
Please contact your buyer for additional information not available in the file.

- The funds associated with this payment will be deposited into your bank account
according to the terms of your American Express merchant agreement and may be
combined with other American Express deposits.

For additional information about Deposits, Fees, or your American Express merchant agreement:
Contact American Express Merchant Services at 1-800-528-7214 Monday to Friday, 8:00 AM to 8:00 PM ET.

- You can also view PAYVE payment and invoice level details using My Merchant A
ccount/Online Merchant Services.

If you are not enrolled in My Merchant Account/OMS, you can do so at
www.americanexpress.com/mymerchantaccount or call us at 1-866-220-8948, Monday - Friday
between 9:00 AM-7:30 PM ET, and we'll be glad to help you.

For quick and easy enrollment, please have your American Express Merchant Number,
bank account ABA (routing number) and DDA (account number) on hand.

This customer service e-mail was sent to you by American Express. You may receive
customer service e-mails even if you have unsubscribed from marketing e-mails
from American Express.

Copyright 2013 American Express Company. All rights reserved Contact Customer Service:
https:// www.americanexpress.com/messagecenter

******************************************************************************
"This message and any attachments are solely for the intended recipient and may
contain confidential or privileged information. If you are not the intended
recipient, any disclosure, copying, use, or distribution of the information
included in this message and any attachments is prohibited. If you have
received this communication in error, please notify us by reply e-mail
and immediately and permanently delete this message and any attachments. Thank you."
******************************************************************************

CD01935465.583675386201.zip (16)



Headers examples:

Spoofs PAYVESUPPORT @AEXP.COM in From headers almost always. Spoofs just about everything from aexp.com, fiserv.com, nacha.org, and others in Envelope From and sometimes Helo.

cbl.abuseat.org classifies these as being Cutwail spambots.

Received: from bell.ca [76.70.34.226]
X-Envelope-From: notification @fiserv.com
From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM>
Subject: PAYVE - Remit file

Received: from altom-sa.static.otenet.gr [83.235.174.207]
X-Envelope-From: auto-notification @fiserv.com
From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM>
Subject: PAYVE - Remit file

Received: from p5793C3B8.dip0.t-ipconnect.de [87.147.195.184]
X-Envelope-From: service @fiserv.com
From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM>
Subject: PAYVE - Remit file

Received: from fiserv.com ([41.70.177.28]
X-Envelope-From: auto-notification @fiserv.com
From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM>
Subject: PAYVE - Remit file

Received: from 2.132.131.82.megaline.telecom.kz [2.132.131.82]
X-Envelope-From: service @fiserv.com
From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM>
Subject: PAYVE - Remit file

Received: from sbs2003.kwongwah.com [203.198.138.138] X-Envelope-From: ach.status @nacha.org From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM> Subject: PAYVE - Remit file

Received: from nacha.org [202.155.204.150] X-Barracuda-Envelope-From: ach.status @nacha.org From: "PAYVESUPPORT @AEXP.COM" <PAYVESUPPORT @AEXP.COM> Subject: PAYVE - Remit file

Attachment Examples:

March 2013:

CD092898.001596138316.zip containing CD092898.098209832098.exe

VirusTotal report: here

Avast 		Win32:LockScreen-TV [Trj] 
ESET-NOD32 Win32/PSW.Fareit.A
ClamAV Win.Trojan.Tepfer-214
F-Prot W32/Trojan3.EYD
Comodo TrojWare.Win32.Kryptik.AYL
Symantec Trojan.Zbot
Malwarebytes Trojan.LameShield
F-Secure Trojan.Generic.KDV.899737
Kaspersky Trojan-PSW.Win32.Tepfer.helv
Sophos Troj/Agent-AASP
Microsoft PWS:Win32/Fareit.gen!C
AVG PSW.Generic10.CGPH
McAfee BackDoor-FJW

12 November 2013:

CD01935465.583675386201.zip containing CD01935465.{_tracking}.exe

VirusTotal report: here

Fortinet 		W32/Small.ABS!tr 
Kaspersky UDS:DangerousObject.Multi.Generic
Malwarebytes Trojan.Dropper
AntiVir TR/Crypt.XPACK.Gen3

Malwr.com report: here

Starts servers listening on 0.0.0.0:0, 0.0.0.0:4730, 0.0.0.0:6012
Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Operates on local firewall's policies and settings
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

contacts via tcp:
kyron.co.uk 78.137.113.21

From the PCAP file, UDP traffic:

These addresses had back and forth udp communications.
108.65.194.40 UNITED STATES
108.74.123.50 UNITED STATES
186.94.133.250 VENEZUELA, BOLIVARIAN REPUBLIC OF
212.251.104.12 GREECE
217.220.223.102 ITALY
217.35.75.232 UNITED KINGDOM
217.35.80.36 UNITED KINGDOM
31.52.84.139 UNITED KINGDOM
67.230.94.4 UNITED STATES
70.169.168.37 UNITED STATES
70.30.53.56 CANADA
71.52.51.131 UNITED STATES
79.189.188.250 POLAND
86.159.85.210 UNITED KINGDOM
94.247.29.186 FRANCE
98.164.247.13 UNITED STATES
99.48.126.246 UNITED STATES

These addresses were sent udp but never answered back
196.217.245.197 MOROCCO
46.103.61.206 GREECE
80.135.41.92 GERMANY
91.236.245.22 BELGIUM
93.199.32.154 GERMANY
99.42.81.101 UNITED STATES

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity