Fiserv Secure Email Notification - Virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

A fake Fiserv secure email notification scam email has a virus in a zip file attachment. In some versions, the zip is password protected for that secure flavor.

Email claims that you have received a secure message, spoofs payvesupport @aexp.com and fiserv.com FROM headers.

Other emails in the spoofed payvesupport@ aexp.com series:

Other emails in the spoofed fiserv.com series:


Subject: Fiserv Secure Email Notification - 7DUDZ2UXKGEZ0YE

Subject: Fiserv Secure Email Notification - IS4B3DV7EOFOPK9

Subject: Fiserv Secure Email Notification - 4C0PCF14BIFCI78

...etc

Encryption

You have received a secure message

Read your secure message by opening the attachment,
Notification_7DUDZ2UXKGEZ0YE.zip. You will be prompted
to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser.
To access from a mobile device, forward this message to
mobile @res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please
contact the sender directly. For questions about secure
e-mail encryption service, please contact technical support
at 888.914.1728.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Notification_7DUDZ2UXKGEZ0YE.zip

Another variation uses a password-protected zip file:

You have received a secure message

Read your secure message by opening the attachment,
Case_EHV3GC98NDO54AQ.zip.

The attached file contains the encrypted message
that you have received.

To decrypt the message use the following password -
KsUs3Z921mA

To read the encrypted message, complete the following steps:

- Double-click the encrypted message file attachment
to download the file to your computer.
- Select whether to open the file or save it to your
hard drive. Opening the file displays the attachment in
a new browser window.
- The message is password-protected, enter your
password to open it.

To access from a mobile device, forward this message
to mobile @res.fiserv.com to receive a mobile login URL.

blah blah....

Case_EHV3GC98NDO54AQ.zip (140)

OR

You have received a secure message

Read your secure message by opening the attachment,
SecureMessage_9IO6QY1RFHM38MZ.zip.

The attached file contains the encrypted message
that you have received.

To decrypt the message use the following password - Iu1JsoKaQ

To read the encrypted message, complete the following steps:

- Double-click the encrypted message file attachment
to download the file to your computer.
- Select whether to open the file or save it to your
hard drive. Opening the file displays the attachment
in a new browser window.
- The message is password-protected, enter your
password to open it.

To access from a mobile device, forward this message
to mobile @res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message,
please contact the sender directly. For questions about
secure e-mail encryption service, please contact technical
support at 888.544.6608.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

SecureMessage_9IO6QY1RFHM38MZ.zip (136)

Headers: Spoofing fiserv.com and aexp.com...

Received: from 75-41-69-25.dsl.wlfrct.sbcglobal.net [75.41.69.25]
   X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM
   Message-ID: <515AF427.6080203 @fiserv.com>
   From: Heath_Mcgill @fiserv.com

Received: from 201-155-199-173-sta.prod-empresarial.com.mx [201.155.199.173] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE603.8060305 @fiserv.com>

Received: from mail.cornel.co.uk (mail.cornel.co.uk [93.152.125.89] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AF45F.5000207@ fiserv.com> From: Leticia_Harmon @fiserv.com

Received: from 173-13-198-221-WashingtonDC.hfc.comcastbusiness.net [173.13.198.221] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Return-Path: <secure.notification @fiserv.com>

Received: from 78.186.131.254.static.ttnet.com.tr [78.186.131.254] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE66B.4050801 @fiserv.com> From: Charity_Simon @fiserv.com

Received: from cpe-98-144-123-37.wi.res.rr.com [98.144.123.37] Return-Path: <secure.notification @fiserv.com> From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Received: from 64-199-2-234.ip.mcleodusa.net [64.199.2.234] X-Barracuda-Envelope-From: service @fiserv.com From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Received: from c-24-13-194-118.hsd1.il.comcast.net [24.13.194.118] X-Barracuda-Envelope-From: auto-notification @fiserv.com Return-Path: <secure.notification @fiserv.com> From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

The NACHA.org spoofing variants:

Received: from S010600222d999ac8.wp.shawcable.net [174.5.150.95]
  X-Envelope-From: support @nacha.org
  From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Received: from 203186011105.static.ctinets.com [203.186.11.105] X-Envelope-From: service @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com>
Received: from h-74-3-119-147.nycm.ny.megapath.net [74.3.119.147] X-Envelope-From: service @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Received: from 124x35x83x156.ap124.ftth.ucom.ne.jp [124.35.83.156]) X-Envelope-From: service @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com

Received: from c-24-9-68-171.hsd1.co.comcast.net [24.9.68.171] X-Envelope-From: ach-status @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

 

Attachment, one example:

Notification_7DUDZ2UXKGEZ0YE.zip containing Client_Notification.exe with MD5 of 2bafc5a5528a8b1bcc0561e4182e068f

https://www.virustotal.com/en/file/bb86233351ff2ee32983f589680920b6dbd43ccf43c14ad4db40b7f2d95848a6/analysis/

Fortinet                                   W32/Kryptik.WEP!tr
Malwarebytes Trojan.Agent.RVGen0X
VBA32 Malware-Cryptor.Fareit.2913
TrendMicro PAK_Generic.001
Avast Win32:Trojan-gen
AVG Downloader.Generic13.ANJU
Microsoft PWS:Win32/Fareit
Symantec Downloader.Ponik

In the password protection version, two examples:

Case_EHV3GC98NDO54AQ.zip containing Case_Fiserv_04162013.exe

https://www.virustotal.com/en/file/3143dbfbcf608abbdeb5449da38c2c5bcdb1f4873ea2c229da2e921c5b071764/analysis/1366116651/

Kaspersky 		Trojan-PSW.Win32.Tepfer.iifq 	
Sophos Troj/Zbot-EPP
Microsoft PWS:Win32/Fareit
Malwarebytes Malware.Packer.EGX7
AVG Crypt.BTIB
McAfee BackDoor-FAQY

SecureMessage_9IO6QY1RFHM38MZ.zip containing SecureMessage_06032013.exe

https://www.virustotal.com/en/file/8de188a7813dc1d2de3c610828dcdd09b266fba317100d814a7811b6615ca8e6/analysis/1370279355/

Malwarebytes 	        Trojan.Agent.zrf 	
Kaspersky Trojan-PSW.Win32.Tepfer.lnga
McAfee Ransom-FCFH!2994F3319096
F-Prot W32/Trojan3.FJC

 

Song playing when article was written: Rescue Me by Zebrahead.

If this was at least a little helpful, how about a +1, Like, or Tweet?

 

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity