Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email

A fake Fiserv secure email notification scam email has a virus in a zip file attachment. In some versions, the zip is password protected for that secure flavor.

Email claims that you have received a secure message, spoofs payvesupport @aexp.com and fiserv.com FROM headers.

Other emails in the spoofed payvesupport@ aexp.com series:

Other emails in the spoofed fiserv.com series:


Subject: Fiserv Secure Email Notification - 0302543

 You have received a secure message

Read your secure message by opening the attachment, SecureFile.zip.

The attached file contains the encrypted message that you have received.

To read the encrypted message, complete the following steps:
- Double-click the encrypted message file attachment to download the file to your computer.
- Select whether to open the file or save it to your hard drive. Opening the file displays the attachment in a new browser window.

To access from a mobile device, forward this message to mobile @res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service,
please contact technical support at 888.526.3264.

2000-2014 Fiserv Secure Systems, Inc. All rights reserved.

SecureFile.zip (13)

Subject: Fiserv Secure Email Notification - 7DUDZ2UXKGEZ0YE

Subject: Fiserv Secure Email Notification - IS4B3DV7EOFOPK9

Subject: Fiserv Secure Email Notification - 4C0PCF14BIFCI78

...etc

 Encryption 

You have received a secure message

Read your secure message by opening the attachment, Notification_7DUDZ2UXKGEZ0YE.zip.
You will be prompted to open (view) the file or save (download) it to your computer.
For best results, save the file first, then open it in a Web browser. To access from a mobile device,
forward this message to mobile @res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly.
For questions about ... blah blah

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Notification_7DUDZ2UXKGEZ0YE.zip

Another variation uses a password-protected zip file:

 You have received a secure message  

Read your secure message by opening the attachment, Case_EHV3GC98NDO54AQ.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - KsUs3Z921mA

To read the encrypted message, complete the following steps:
blah blah....

Case_EHV3GC98NDO54AQ.zip (140)

   Subject: Fiserv Secure Email Notification - 3749572

 You have received a secure message 
Read your secure message by opening the attachment, SecureMessage_9IO6QY1RFHM38MZ.zip.
The attached file contains the encrypted message that you have received.
To decrypt the message use the following password - Iu1JsoKaQ
To read the encrypted message, complete the following steps:
...blah blah...

  Subject: Fiserv Secure Email Notification - 9307993

 You have received a secure message 

Read your secure message by opening the attachment, Incident_9307993.zip.

The attached file contains the encrypted message that you have received.

To decrypt the message use the following password - ISU8sSG2pLL

To read the encrypted message, complete the following steps:
...blah blah blah

Incident_9307993.zip (12)

Headers

Spoofs fiserv.com or nacha.org in From headers and something else like aexp.com or random junk in the Envelope headers. Several mixed and match variants.

Received: from 75-41-69-25.dsl.wlfrct.sbcglobal.net [75.41.69.25]
   X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM
   Message-ID: <515AF427.6080203 @fiserv.com>
   From: Heath_Mcgill @fiserv.com

Received: from 201-155-199-173-sta.prod-empresarial.com.mx [201.155.199.173] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE603.8060305 @fiserv.com>

Received: from mail.cornel.co.uk (mail.cornel.co.uk [93.152.125.89] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AF45F.5000207@ fiserv.com> From: Leticia_Harmon @fiserv.com

Received: from bzq-218-188-186.red.bezeqint.net [81.218.188.186]
X-Envelope-From: steamiesblu04 @repro.oceusa.com
From: "Fiserv Secure Notification" <secure.notification @fiserv.com>
Subject: Fiserv Secure Email Notification - 7578858

Received: from 78.186.131.254.static.ttnet.com.tr [78.186.131.254] X-Barracuda-Envelope-From: PAYVESUPPORT @AEXP.COM Message-ID: <515AE66B.4050801 @fiserv.com> From: Charity_Simon @fiserv.com

Received: from KNUWYUFHII [123.21.108.97]
X-Envelope-From: clownishly813 @royalairmaroc.com
From: "Fiserv Secure Notification" <secure.notification @fiserv.com>
Subject: Fiserv Secure Email Notification - 9307993
Received: from 124x35x83x156.ap124.ftth.ucom.ne.jp [124.35.83.156])
   X-Envelope-From: service @nacha.org
   From: "Fiserv Secure Notification" <secure.notification @fiserv.com

Received: from c-24-9-68-171.hsd1.co.comcast.net [24.9.68.171] X-Envelope-From: ach-status @nacha.org From: "Fiserv Secure Notification" <secure.notification @fiserv.com>

Malware

15 December 2014 

Attachment : SecureFile.zip containing SecureFile.scr ( looks like upatre )

VirusTotal report 

Norman 	Upatre.FH
Sophos Mal/Generic-S

Malwr.com report 

HTTP:
202.153.35.133:16455 <-- check in
vietnamtravelarticle.com/wp-includes/images/dimg101.pne <-- downloads more malware, encrypted

Performs some HTTP requests
The binary likely contains encrypted or compressed data.
Steals private information from local Internet browsers
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

Downloaded and decrypted executable : EXE1.exe ( looks like dyreza )

VirusTotal report 

McAfee 	Trojan-FFKX!2AA4076A5B08 

Malwr.com report 

Performs some HTTP requests
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)

Downloads :
colonybythesea.com/gallery/ml15.tar
colonybythesea.com/gallery/update.tar

Also resolves :
stun1.voiceeclipse.net <-- a dyreza thing.

28 April 2014

Attachment : Incident_9307993.zip containing Incident-04282014.scr

VirusTotal report

3 June 2013

Attachment : SecureMessage_9IO6QY1RFHM38MZ.zip containing SecureMessage_06032013.exe

VirusTotal report

2 April 2013

Attachment :Notification_7DUDZ2UXKGEZ0YE.zip containing Client_Notification.exe with 

VirusTotal report 

If this was at least a little helpful, how about a +1, Like, or Tweet?