Fiserv Secure Email Notification - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email

A fake Fiserv secure email notification scam email has a virus in a zip file attachment. In some versions, the zip is password protected for that secure flavor.

Email claims that you have received a secure message, spoofs payvesupport @aexp.com and fiserv.com FROM headers.

Other emails in the spoofed payvesupport@ aexp.com series:

Other emails in the spoofed fiserv.com series:


Subject: Fiserv Secure Email Notification - 7DUDZ2UXKGEZ0YE

Subject: Fiserv Secure Email Notification - IS4B3DV7EOFOPK9

Subject: Fiserv Secure Email Notification - 4C0PCF14BIFCI78

...etc

Encryption

You have received a secure message

Read your secure message by opening the attachment, Notification_7DUDZ2UXKGEZ0YE.zip.
You will be prompted to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser. To access from a mobile device,
forward this message to mobile @res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly.
For questions about secure e-mail encryption service, please contact technical support
at 888.914.1728.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Notification_7DUDZ2UXKGEZ0YE.zip

Another variation uses a password-protected zip file:

You have received a secure message

Read your secure message by opening the attachment, Case_EHV3GC98NDO54AQ.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - KsUs3Z921mA

To read the encrypted message, complete the following steps:
blah blah....

Case_EHV3GC98NDO54AQ.zip (140)

   Subject: Fiserv Secure Email Notification - 3749572

You have received a secure message

Read your secure message by opening the attachment, SecureMessage_9IO6QY1RFHM38MZ.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - Iu1JsoKaQ

To read the encrypted message, complete the following steps:
...blah blah...

  Subject: Fiserv Secure Email Notification - 9307993

You have received a secure message

Read your secure message by opening the attachment, Incident_9307993.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - ISU8sSG2pLL

To read the encrypted message, complete the following steps:
...blah blah blah

Incident_9307993.zip (12)

Header Examples:

Spoofs fiserv.com or nacha.org in From headers and something else like aexp.com or random junk in the Envelope headers. Several mixed and match variants.

Received: from 75-41-69-25.dsl.wlfrct.sbcglobal.net [75.41.69.25]
   X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM
   Message-ID: <515AF427.6080203 @fiserv.com>
   From: Heath_Mcgill @fiserv.com

Received: from 201-155-199-173-sta.prod-empresarial.com.mx [201.155.199.173] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE603.8060305 @fiserv.com>

Received: from mail.cornel.co.uk (mail.cornel.co.uk [93.152.125.89] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AF45F.5000207@ fiserv.com> From: Leticia_Harmon @fiserv.com

Received: from bzq-218-188-186.red.bezeqint.net [81.218.188.186]
X-Envelope-From: steamiesblu04 @repro.oceusa.com
From: "Fiserv Secure Notification" <secure.notification @fiserv.com>
Subject: Fiserv Secure Email Notification - 7578858

Received: from 78.186.131.254.static.ttnet.com.tr [78.186.131.254] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE66B.4050801 @fiserv.com> From: Charity_Simon @fiserv.com

Received: from KNUWYUFHII [123.21.108.97]
X-Envelope-From: clownishly813 @royalairmaroc.com
From: "Fiserv Secure Notification" <secure.notification @fiserv.com>
Subject: Fiserv Secure Email Notification - 9307993
Received: from 124x35x83x156.ap124.ftth.ucom.ne.jp [124.35.83.156])
   X-Envelope-From: service @nacha.org
   From: "Fiserv Secure Notification" <secure.notification @fiserv.com

Received: from c-24-9-68-171.hsd1.co.comcast.net [24.9.68.171] X-Envelope-From: ach-status @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Attachments

2 April 2013

Notification_7DUDZ2UXKGEZ0YE.zip containing Client_Notification.exe with | VirusTotal report 

16 April 2013

Case_EHV3GC98NDO54AQ.zip containing Case_Fiserv_04162013.exe | VirusTotal report  

3 June 2013

SecureMessage_9IO6QY1RFHM38MZ.zip containing SecureMessage_06032013.exe | VirusTotal report 

28 April 2014

Incident_9307993.zip containing Incident-04282014.scr

VirusTotal report 

AntiVir 	TR/Dropper.Gen2 
Avast Win32:Morphex [Cryp]
Symantec Suspicious.Cloud

If this was at least a little helpful, how about a +1, Like, or Tweet?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity