Peringatan: Aktifitas Spam dan Phising atas Nama Wells Fargo Bank

Nov, 29 2013| Author: admin | Filed under: Info | Tags: Tags: , ,

Hallo pelanggan

Baru baru ini kami mendapati aktifitas di server kami yang berkaitan dengan pengiriman email palsu mengatasnamakan Wells Fargo Bank USA, yang mana email palsu tersebut meminta informasi maupun download file tertentu di attachment email tersebut dari user. Kami klarifikasi bahwa email tersebut adalah tidak benar dari Wells Fargo Bank, dan jika anda menemukannya maka mohon diabaikan dan laporkan kepada kami.

Contoh Log Pengiriman Spam Berikut ini adalah contoh log pengiriman mail spam tersebut yang sempat kami dapati dari mail server kami.

—awal kutipan—

2013-11-27 23:55:50 1VliP0-0000Nq-2n <= []:56759
P=esmtp S=25501 T=”FW: Important docs” for
2013-11-27 23:57:25 1VliQX-0000YT-FD <= []:34105
P=esmtp S=26105 T=”FW: Important docs” for  
2013-11-27 23:57:39 1VliQl-0000aw-C0 <= []:61648
P=esmtp S=26118 T=”FW: Important docs” for

—akhir kutipan—

Berikut ini kami sertakan pula salah satu contoh konten mail spam tersebut :

—awal kutipan—

Received: from [] (port=39273 helo=PC-Korban) by korban.mailserverpengirim.apa with asmtp id 1rqLaL-000X1-00
for korban@namadomain.apa; Wed, 27 Nov 2013 11:55:49 -0500  
Date: Wed, 27 Nov 2013 11:55:49 -0500  
From: korban@domainanda.apa User-Agent: Mozilla/5.0(Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1  MIME-Version: 1.0  
Subject: FW: Important docs  
Content-Type: multipart/mixed;   
X-Spam: Not detected  
X-Mras: Ok    
This is a multi-part message in MIME format.  
Content-Type: text/plain; charset=windows-1251; format=flowed  Content-Transfer-Encoding: 7bit

We have received this documents from your bank, please review attached documents.    
Reuben Goff  
Wells Fargo Accounting  
817-197-1182 office  
817-396-6674 cell     

Investments in securities and insurance products are:  
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use
of the person or entity to whom the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited.
If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

Content-Type: application/zip;   
Content-Transfer-Encoding: base64  
Content-Disposition: attachment;   

The attached ZIP file has the name [or else] and contains the 28 kB large file Case_06112013.exe [or else].
The trojan is known as Worm/Win32.Palevo, TR/Crypt.Xpack.3685, W32/Trojan.UOSL-1532, Trojan.Downloader.JQEJ, Downloader-FVM!DCA1C11AA0C5,
Artemis!DCA1C11AA0C5, Trj/Downloader.WKY or Troj/Zbot-GVA.    
The trojan is capable of downloading files and connecting to other hosts over HTTP.
It will collect information to fingerprint the system, make modifications to the local firewall settings and policies and installs itself
to boot at start up of the infected system. Futhermore, this trojan can steal information from browsers.  

—akhir kutipan—

Sekali lagi kami menghimbau kepada anda pengguna layanan hosting di untuk dapat membantu melaporkan konten email mencurigakan kepada staf teknikal kami untuk dibantu pemeriksan lebih lanjut.

Leave a Reply

Your email address will not be published. Required fields are marked *

55 + = 59

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>