Virus alert 31 July - "Invoice" likely contains malware

[id : 482] [31/07/2017] [hits : 57223]


We advise users to be wary of scanned documents or (fake) invoice/payment requests that look like PDF's or normal documents (Word, Excel,...) but in reality contain viruses and malware, among which cryptolockers. A cryptolocker will encrypt all documents on the affected computer and attached drives, thus rendering those documents useless. So be extremely vigilant when receiving messages with attachments, from any source. DO NOT OPEN THESE ATTACHMENTS!

There seems to be a continuous campaign ongoing to send users (fake) invoice or payment requests and the likes which seemingly urge the recipient to take action.

The emails are sent from legitimate companies or third parties. The details on what the user should do, or details about the invoice or Windows Update, are supposedly included in an attachment or in a hyperlink that will download a "document" to the computer.

The document or attachment, which can be hidden in a zip file, is frequently disguised as a PDF, when in reality it is an executable program that, upon opening, executes the virus (trojan) on the computer and encrypts all documents on the computer and mounted shares/disks, making all the documents useless. In short: the user will lose all his/her files.

Therefore, be extremely vigilant upon receiving messages with attachments, in particular if you use a computer with Windows.

If you have any doubt about a message with an attachment you have received, contact the ICT-Helpdesk.

If you are locked out of your computer or your documents have become inaccessible, immediately contact the ICT-Helpdesk. Do not try to fix the problem yourself or to restore your files from your backup, or you risk losing your backup as well.

Examples of recent or notable cases:

From: Money Market <vsingh@talend.com>
To: mbrodt@tribweb.com
Subject: Invoice
Date: Mon, 31 Jul 2017 08:12:01 -0700

From: "Laura De Clercq" <colegio.granada@agricolas.org>
Subject: C'est votre facture
Date: Wed, 3 May 2017 22:19:57 +0200

From: "Julien Stevens" <Julien@adams-music.be>
Subject: Votre facture
Date: Mon, 24 Apr 2017 19:28:22 +0200

Facture d'achat.

Merci de votre collaboration,
Julien Stevens
From: ASAS <Mohannadhabosh@asasemc.com>
Subject: Final Warning - Over Due Payment - Urgent Reminder!
Date: Fri, 21 Apr 2017 05:46:55 +0100
Attachment =>.gz (contains.exe file with malware) => DO NOT OPEN

Dear Sir,
Please note that we cannot continue to contact you concerning our over
due payment.
We need our money and very soon, we will invite the police to your
office for arrest.
Find attached documents which you signed and kindy selttle your debts as
soon as possible.

From: "Bandenconcurrent" <1483486213.orders@banden1483486213concurrent-nl.nl>
Subject: Openstaande factuur
Date: Wed, 4 Jan 2017 00:30:13 +0100 (CET)

From: canon@vub.ac.be
Subject: Attached Image
Date: 30 November 2016 at 10:27:24 GMT+1
Virus type: Trojan Downloader (macro virus)

From: Laetitia Dehaudt <laetitia.dehaudt79@vub.ac.be>
Subject: Facture 521-9389231
Date: 30 Sep 2016 10:03:01 CEST
Virus Type: New cryptolocker variant

From: "Proximus" <myproximus2@t-online.de>
Subject: Uw domiciliëring van de maand juli is mislukt
Date: Tue, 23 Aug 2016 06:08:44 -0700

From: Intrum Justitia <incasso@intrum.com>
Subject: Uw Factuur
Date: Fri, 6 May 2016 07:56:34 +0000 (UTC)

From: KPN <KPN-betaalafspraak@kpn.com>
Subject: Uw factuur
Date: Thu, 5 May 2016 10:37:11 +0200 (CEST)

From: CAS <cas@ucm.be>
Subject: le calcul des cotisations 8504 13483 - TV
Date: 26 Feb 2016 10:34:49 -0000

From: Scarlet klantendienst <no_reply@scarlet.be>
Subject: Rekening - 05/2015
Date: 27 May 2015

About Ransomware viruses

Ransomware viruses are computer viruses (trojans) that, upon execution, will lock out the user from his/her computer, or, even worse, encrypt all documents on the computer and mounted shares, making those documents useless.

The virus will display a message on the computer that one should transfer a certain amount of money in order to regain access to the computer or documents. There is however no guarantee that this will actually be the case.

Example of a ransomware message

Example of a ransomware message

From: Intrum Justitia <incasso@intrum.com>
To: Email address
Subject: Openstaande Factuur.
Attachment: Factuur93584.zip, 722.0 KBytes

Behandeld door: TransIP Domein Registratie
Direct tel. nr.: 088 - 452 71 31

Openstaande vordering, BELANGRIJK!

Geachte mevrouw/heer.

In de bijgevoegde factuur verwijzen wij u naar de eerder ontvangen herinnering(en). Wij stellen u hierbij de gelegenheid om het verschuldigde bedrag van €93,50 met rente binnen 14 dagen te voldoen op ons IBAN-rekeningnummer NL50ABNA0471467210 t.n.v. St. Derdengeleden Intrum Justitia Nederland B.V. onder vermelding van het referentienummer.

Blijft betaling uit, dan zijn wij genoodzaakt cliënt te adviseren om over te gaan tot het opstarten van een gerechtelijke procedure. De kosten die hieruit voortvloeien zullen geheel voor uw rekening komen. Voor directe betaling en meer informatie over deze vordering gaat u naar onze website www.intrum.nl U kunt hiervoor de gegevens gebruiken die op de factuur staan vermeld. U kunt hier ook terecht voor overige vragen.


Intrum Justitia

De buitengerechtelijke incassokosten kunnen zijn verhoogd met btw in het geval dat de schuldeiser een niet
btw-plichtige ondernemer is in de zin van art. 7 en 11 van de Wet op de omzetbelasting 1968

Intrum Justitia Nederland BV Handelend onder de naam Intrum Justitia
Postbos 84096 2508 AB Den Haag H.R. Den Haag 27134582
BTW nr. NL008488666B01 Lid van NVI

Peter Van Rossem - helpdesk@vub.ac.be

Attached files are frequently sent as a.zip file which in turn contains an executable file (extensions are - but not limited to -.exe,.scr,.lnk,.cab,...) that installs the virus. Do not run this file!

Other faked senders include Wehkamp Nederland and Scarlet (Belgian Internet provider) with so-called order confirmations or invoices. DO NOT OPEN THE ATTACHMENTS!


: :: ::: ::::