Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Targeted e-mail attacks asking to verify wire transfer details InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Targeted e-mail attacks asking to verify wire transfer details

Published: 2009-06-04
Last Updated: 2009-06-04 23:07:51 UTC
by Raul Siles (Version: 2)
1 comment(s)

There is a new e-mail wave doing the rounds (we have reports from June 3 & 4). It is a very targeted e-mail attack against different organizations, that contains an attached malware specimen in the form of a RTF file, called "details.rtf". The mail asks the victim to verify a wire transfer, being the malicious attachment the alleged wire statement.

In some of the cases, the victims are indeed financial personel within the target organization in charge of daily wire transfers. Time to spread an internal awareness campaign in your financial departments!

The current AV detection rate is low (according to VirusTotal) for the samples we have received:

  • 7/39 - SHA1  : 0f7288043f556542744fd2c87511ff002b5d5379
  • 4/39 - SHA1  : e248fd659415f15d1238063efd1f122f91ac071c

The spare phishing e-mail looks like this:

--
From: Kenneth Duford [mailto:ken.duford@<VARIOUS-DOMAINS>]
Sent: Wednesday, June 0X, 2009 XX:XX PM
To: <VICTIM E-MAIL>
Subject: Re:Please verify wire details
<VICTIM NAME>

The wire transfer has been released.

BENEFICIARY : <VICTIM NAME>
ABA ROUTING# : XXXX1197
ACCOUNT# : XXX-XXX-XXX394
AMMOUNT : $17,653.15

<TARGETED VICTIM COMPANY NAME>

Please check the wire statement attached and let me know if everything is correct.
I am waiting for your reply.

Kenneth Duford

--- On Sun, 02/06/09, <VICTIM NAME> <VICTIM E-MAIL> wrote:

From: <VICTIM NAME> <VICTIM E-MAIL>
Subject: wire transfer
To: ken.duford@<VARIOUS-DOMAINS>
Date: Mon, 1 June 2009, 10:47 AM


We still haven't received the wire transfer.
Thank you
<VICTIM NAME>

--

Some of the domains we have seen in the "From" field are pinnaclerestaurantcorp.com and teoinc.com.

An early analysis thanks to fellow handlers Pedro and Daniel confirms the details above. Additionally, the exe (or .scr) component is trying to connec to "abfforms.com", with this specific URL: "/bluehost/index.php?open=myid". Currently the site is suspended.

Thanks to the ISC readers (that want to remain anonymous) for the initial details and samples.

--
Raul Siles
www.raulsiles.com

1 comment(s)
Diary Archives