Jump to content

Phishing: Walmart 'invoice'


Guest LilBambi

Recommended Posts

Guest LilBambi

Someone I know TODAY received an email 'claiming' to be an Invoice from info@walmart.com for an online purchase of considerable sum and forwarded a copy of it to me.Here's a copy of the fake invoice (taken from the source of the message (left out the headers):

Dear Customer,Thank you for shopping at our shop !This e-mail is to inform you that your order has been shipped out.The following information is for your reference (see details in the attachment):* Order No.: Z3566043* Order Date: 08/13/2006------------------------------ SUBTOTAL : $1,769.99 SALESTAX : $0.00 SHIPPING : $16.81 TOTAL : $1,786.80------------------------------* Ship Via: FDX Overnight Delivery [ship Date :] 08/14/2006 [Tracking No:] 708745655472Please note that if your order includes more than one package, the packages may not be delivered at the same time due to the shipping carrier's schedule and the delivery method, and this is out of our control. In addition, backordered items will be shipped separately.You may check the status of your package's progress at our website. Simply click on "Customer Service", then log into the "Member Center".=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Customers who leave comments for us at either ResellerRatings.com or Pricegrabber will be eligible to receive a flash drive or other cool prize! FOUR drawings will take place every month -- one drawing from each review site on the 1st and the 15th of every calendar month. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Thank you for shopping with us!15% restocking fee applies to all refunds. All products must be returned in like-new condition, including original packaging and all documentation and accessories. Charges will be applied for all missing accessories or parts. Our shop will not accept items that have been physically damaged ormisused. Return periods for different product categories range from zero to 30 days.------------EE781142F14447CContent-Type: application/x-zip-compressed; name="Z3566043.zip"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="Z3566043.zip"
I submitted the attachment to Jotti's Online malware scan and here's the results:
File: Z3566043.zipStatus: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)MD5 d8db873938a7742414b382ecf2a1a8e0Packers detected: FSG----Scanner results AntiVir Found Heuristic/Crypted.SZ (probable variant)ArcaVir Found nothingAvast Found nothingAVG Antivirus Found nothingBitDefender Found nothingClamAV Found nothingDr.Web Found nothingF-Prot Antivirus Found W32/Haxdoor.LB@bdFortinet Found nothingKaspersky Anti-Virus Found nothingNOD32 Found a variant of Win32/HaxdoorNorman Virus Control Found nothingUNA Found nothingVirusBuster Found nothingVBA32 Found Trojan-Dropper.Microjoin.2 (probable variant)
I found this on Symantec's site:
Symantec.com > Threat Advisory CenterThreat Advisory CenterInfected Fake Emails from Online RetailersWhat It IsInfected Fake Emails from Online RetailersSymantec Security Response is advising users to take extra precautions when opening emails from online retailers.On July 24, 2006 Symantec Security Response observed an increase in email activity through Symantec’s Global Intelligence Network. The emails contain a message and or attachment about an online order supposedly placed by the recipient. These emails appear to come from a legitimate online retailer, but in fact the emails are coming from a malicious attacker. The message indicates that the attached file is the invoice for the order, but instead it contains a backdoor trojan, and if executed will compromise the user’s computer.Symantec Security Response has determined that these emails are variants of the Haxdoor backdoor trojan. Virus definitions released on July 24, 2006 by Symantec will detect this threat as Backdoor.Haxdoor.O. Some variants of this threat may already be detected as Backdoor.Haxdoor.I. Symantec advises users to be suspicious of unexpected emails that contain attachments claiming to be from online retailers. Symantec will closely monitor this situation and will provide updates and security content as it becomes available.
and this on Haxdoor.O:
Discovered: July 23, 2006Updated: July 24, 2006 03:35:58 PM PDTAlso Known As: Backdoor.Haxdoor.IType: Trojan HorseInfection Length: 56,276 bytesSystems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XPBackdoor.Haxdoor.O is a Trojan horse program that opens a back door on the compromised computer and allows a remote attacker to have unauthorized access. It also logs keystrokes, steals passwords, and drops rootkits that run in safe mode.This Trojan appears to have been spammed through email to multiple users in a .zip file attachment.Note: Virus definitions released prior to July 25, 2006 may detect this threat as Backdoor.Haxdoor.I.
More information at Symantec's page (all three tabs):http://www.symantec.com/security_response/...-072413-3859-99Combining phishing fear tactics (over $1,000 worth of a purchase - enough to scare many who are not aware of the tactics) with a trojan payload.
Link to comment
Share on other sites

RichNRockville

I hada friend that received almost the same type of message from Home Depot where he had just gotten back from a small purchase at Home Depot. It was a real scam where they wanted his credit card and other info. Due to my harping, he recognized it as a scam so he did not respond.Good for him.I never never respond to email from vendors.that's why they manufacture telephones :'(

Link to comment
Share on other sites

a local one that popped up recently....note the site is not https...patio. B)If it's an html hyperlink, it could point to anywhere; any sort of file. :( :) :P :w00t: :hysterical: :angry: :hmm: :thumbsdown: Bob
Link to comment
Share on other sites

Guest LilBambi

Yeah, the name's funny but the name is apparently legit:http://www.google.com/search?hl=en&q=F...G=Google+Search

Fifth Third Bank is a financial services bank serving Ohio, Kentucky, Indiana, Illinois, Florida, Michigan, and West Virginia markets.
But you can bet there was some really weird link under all that in the message source. ;)That's where it gets interesting ... in the message source.Usually some weird thing where the link name is something legit but like rbdietz said, the link can go anywhere and appear to be anything if you use HTML emails (window dressing) and don't see the real deal. Checking out the message source on those types of emails is the only way to see what's really going on.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...