Peringatan: Aktifitas Spam dan Phising atas Nama Wells Fargo Bank

Teknologi287 Views


Hallo pelanggan dijaminmurah.com

Baru baru ini kami mendapati aktifitas di server kami yang berkaitan dengan pengiriman email palsu mengatasnamakan Wells Fargo Bank USA, yang mana email palsu tersebut meminta informasi maupun download file tertentu di attachment email tersebut dari user. Kami klarifikasi bahwa email tersebut adalah tidak benar dari Wells Fargo Bank, dan jika anda menemukannya maka mohon diabaikan dan laporkan kepada kami.

Contoh Log Pengiriman Spam Berikut ini adalah contoh log pengiriman mail spam tersebut yang sempat kami dapati dari mail server kami.

—awal kutipan—

2013-11-27 23:55:50 1VliP0-0000Nq-2n <= fraud@aexp.com H=korban1.mailserverpengirim.com [208.104.16.22]:56759
P=esmtp S=25501 id=529622A1.9030605@wellsfargo.com T=”FW: Important docs” for siapa@domainanda.org
2013-11-27 23:57:25 1VliQX-0000YT-FD <= fraud@aexp.com H=korban2.mailserverpengirim.com [50.74.226.154]:34105
P=esmtp S=26105 id=52962342.0070109@MSGCMOXM7908.ent.wfb.bank.corp T=”FW: Important docs” for siapa@domainanda.net  
2013-11-27 23:57:39 1VliQl-0000aw-C0 <= fraud@aexp.com H=korban3.mailsererpengirim.com [76.22.159.151]:61648
P=esmtp S=26118 id=529622A7.3010605@MSGCMOXM9586.ent.wfb.bank.corp T=”FW: Important docs” for siapa@domainanda.com

—akhir kutipan—

Berikut ini kami sertakan pula salah satu contoh konten mail spam tersebut :

—awal kutipan—

Received: from [254.141.114.115] (port=39273 helo=PC-Korban) by korban.mailserverpengirim.apa with asmtp id 1rqLaL-000X1-00
for korban@namadomain.apa; Wed, 27 Nov 2013 11:55:49 -0500  
Message-ID:
Date: Wed, 27 Nov 2013 11:55:49 -0500  
From: korban@domainanda.apa User-Agent: Mozilla/5.0(Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1  MIME-Version: 1.0  
To: korban@namadomain.com
Subject: FW: Important docs  
Content-Type: multipart/mixed;   
boundary=”—-=_Part_94900_0050353369.7689441481192″  
X-Spam: Not detected  
X-Mras: Ok    
This is a multi-part message in MIME format.  
——=_Part_94900_0050353369.7689441481192  
Content-Type: text/plain; charset=windows-1251; format=flowed  Content-Transfer-Encoding: 7bit

We have received this documents from your bank, please review attached documents.    
Reuben Goff  
Wells Fargo Accounting  
817-197-1182 office  
817-396-6674 cell   
Reuben.Goff@wellsfargo.com     

Investments in securities and insurance products are:  
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE
    
Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103
   
CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use
of the person or entity to whom the message was addressed. If you are not the intended recipient of this message,
please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited.
If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message
and any attached documentation. Thank you.

——=_Part_94900_0050353369.7689441481192  
Content-Type: application/zip;   
name=”BankDocs.zip”  
Content-Transfer-Encoding: base64  
Content-Disposition: attachment;   
name=”BankDocs.zip”

The attached ZIP file has the name Case_1193671.zip [or else] and contains the 28 kB large file Case_06112013.exe [or else].
The trojan is known as Worm/Win32.Palevo, TR/Crypt.Xpack.3685, W32/Trojan.UOSL-1532, Trojan.Downloader.JQEJ, Downloader-FVM!DCA1C11AA0C5,
Artemis!DCA1C11AA0C5, Trj/Downloader.WKY or Troj/Zbot-GVA.    
The trojan is capable of downloading files and connecting to other hosts over HTTP.
It will collect information to fingerprint the system, make modifications to the local firewall settings and policies and installs itself
to boot at start up of the infected system. Futhermore, this trojan can steal information from browsers.  

—akhir kutipan—

Sekali lagi kami menghimbau kepada anda pengguna layanan hosting di dijaminmurah.com untuk dapat membantu melaporkan konten email mencurigakan kepada staf teknikal kami untuk dibantu pemeriksan lebih lanjut.