You have received a secure message

The "secure message" scam is going strong these days. A lot of banks, etc are using secure email services and these scams try to look like that.

A newer version with subject "Key Secure Message" having a password-protected zip with virus can be found here:

http://techhelplist.com/index.php/spam-list/170-key-secured-message-virus-phishing

The "You have received a secure message" email seems to have the Citibank (Citi Bank) and Keybank (Key Bank) flavors. They come with attachments usually, that says it is a zip file or html file. It generally contains malicious code.

The best thing you can do is look at the email headers to see where the email actually came from.

The CITI version

A picture of the Citibank version.

Keybank variation 1.

A picture of the Keybank Version 1.

Keybank variation 2. Fake Ironport.

A picture of the new, fancy, fake Ironport, Version 2.

The text versions:

--------------------

You have received a secure message


Read your secure message by opening the attachment, SECUREDOC. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it. If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941. First time users - will need to register after opening the attachment. Help - https://mailsafe.keybank.com/websafe/help?topic=RegEnvelope About IronPort Encryption - https://mailsafe.keybank.com/websafe/about

securedoc.zip (152)

-------------------

You have received a secure message


Read your secure message by opening the attachment, securedoc.html. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer. If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the Citi Secure Email Help Desk at (866) 535-2504. First time users - will need to register after opening the attachment. About Email Encryption - http://www.citi.com/citi/citizen/privacy/email.htm

securedoc.html (<1)

--------------------

Iron Port

Encryption

You have received a secure message

Read your secure message by opening the attachment, Secure_Message.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to This e-mail address is being protected from spambots. You need JavaScript enabled to view it to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about Key's e-mail encryption service, please contact technical support at 888.764.7941.
First time users - will need to register after opening the attachment.

Help - https://mailsafe.keybank.com/websafe/help?topic=RegEnvelope
About IronPort Encryption - https://mailsafe.keybank.com/websafe/about

Sincerely,
Bruno_Hendrickson
KeyCorp Level III Support

Secure_Message.zip (132)

The HSBC version:

You have received a secure message

Read your secure message by opening the attachment, message_zdm. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it with Internet Explorer.

If you have concerns about the validity of this message, please contact the sender directly. For questions please contact the HSBC Secure Mail Help Desk.

picture of fake hsbc version of secure message virus email

-------------------

The best thing you can do, if you actually do deal with people who use secure document services, is to look at the headers to see the IP address that sent or relayed the email to your Mail Transport Agent (mail server) is from. The "from" email address is irrelevant.

Headers: Citibank version:

Received: from host-41.33.182.226.tedata.net [41.33.182.226]
   X-Envelope-From: hungm0 @purifiercn.ru
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from bell.ca [70.51.121.206]
   X-Envelope-From: reubenmau18 @heinemann.com
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from rrcs-67-53-74-130.sw.biz.rr.com [67.53.74.130]
   X-Envelope-From: cantataslxk82 @casesmaker.ru
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from 87.68.66.23.cable.012.net.il [87.68.66.23]
   X-Envelope-From: cartilageg9 @livenirvana.com
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from 50-203-85-174-static.hfc.comcastbusiness.net [50.203.85.174]
   X-Envelope-From: cooperate2 @surewest.com
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from tony09-123-251.inter.net.il [213.8.123.251]
   X-Envelope-From: beliedy @casesmaker.ru
   From: "secure.email @citi.com" <secure.email @citi.com>

Received: from Kingsinfiniti.com [74.8.191.228]
   X-Envelope-From: stowsiuw2 @compufort.com
   From: "secure.email @citi.com" <secure.email @citi.com>

You can look up the ip addresses on ARIN, RIPE, APNIC, LAPNIC, etc and see they come from all over the world. Especially the DSL users, comcast addresses... most of them are just infected computers sending spam. None of them resolve to Citi Bank or Key Bank, or Cisco for Ironport. None of them resolve to sensible companies or places.

It seems like the "securedoc.html" and "securedoc.zip" are popular attachments for this kind of email. The zips tend to be executables. The HTMLs tend to run javascript.

The attachment examples:

One version I tested message_zdm.zip which contained message_zdm.exe

md5 0c09a73a97745dd24ad4fd78f7abcc2a

https://www.virustotal.com/en/file/13c0b8ac1081827273f0ae7e3325a76c6c0c8ee791f79f58a3e9dafc36f4b84c/analysis/1363874314/

McAfee     Trojan-FBGF!0C09A73A9774
Microsoft     PWS:Win32/Fareit.gen!I
Symantec     Packed.Generic.402
Malwarebytes     Malware.Packer.SGX4
Sophos     Mal/Generic-S
Kaspersky     HEUR:Trojan.Win32.Generic

securedoc.html.zip containing securedoc.html.exe with MD5 of af0745bc24bb7efef5193788f036c9c2

https://www.virustotal.com/en/file/819ca14886ab10b984877ccf5b2c65ddb7f75f997b6c730da9935dbb0731c931/analysis/1368456339/

McAfee PWS-Zbot-FAUS!AF0745BC24BB

Fortinet W32/Kryptik.AGAJ!tr

If this was at least a little helpful, how about a +1 or a Like?

Comments

+1 #2 Robert Fouts 2013-04-01 07:34

This is an addition. I have found out how the virus works. It is a curious virus. For a computer that is connected to the internet 24/7 it hijacks the logout, so the only way to exit the internet is to turn off the computer. The other part is odd. It attaches a 250 kb exe "boot" to the surface of any files in an attached flashdrive, and the infection is also through the attached flashdrive.
It lets you open the file or folder once, then locks it. It will not permit deletion. It appears to have at it's origin a government type security program, suggesting that it is a bonified cyberattack by a foreign govenment. The dates of creation are Mar 15, 2013 and Mar 20, 2013. The booted files and folders all have the property of "Pwurlzn". Probably the program to release the boot. Inside the boot, the files are undamaged, but the infected flashdrive can never be inserted into a usb port again.
How many devices now depend on files stored on a flash drive?

-- From THL:
As I understand it, most of these are malware packers/droppers that join you to the botnet they came from for later use in ddos attacks, spam generation, and bitcoin mining.

Quote

+1 #1 Robert Fouts 2013-03-28 22:06

I received one of those keycorp e-mails. I had just cleaned my harddrive of anything that could be used against me, they were save to external media. The internet account is firewalled with no administative rights. The only type of exe that can be opened in it is in a dos window, which is restricted accordingly. I did some copying in the external media for the archives, and then opened it. First a file opens up. When you open the file, it vanishes after a few seconds, no message. Now in my case, the computer should have simply deleted it as not permitted, end of story. Others without this simple trick, will have their harddrive infected.
I opened the file with notepad to read it, and after the machine codes I found four file addresses listed: KERNEL32.DLL ADVAPI32.DLL GDI32.DLL USER32.DLL

-- FROM THL:
Here's another trick: Open the email in linux.
Run "strings filename".
Or if you want to see what it will do, run a windows in a VM like in Sun VirtualBox or Xenserver or something.

Refresh comments list
RSS feed for comments to this post

TechHelpList.com

You have received a secure message

Comments

Add comment

Main Menu