Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

malware spam: Toll road invoice / Notice to Appear / FedEx Problem

From: Bob Bayn <bob.bayn () USU EDU>
Date: Sun, 12 Apr 2015 15:22:17 +0000
Yesterday, we received over 150 email messages with a zip attachment containing a Trojan downloader in a .doc.js file.  
We have seen scattered instances before but this is the biggest attack of this sort so far.  The inducement to open the 
attachment is a variation on one of three stories:
  1) You owe an E-ZPass toll road fee
  2) You are notified that you must appear in court
  3) Your FedEx delivery has an issue

The subject lines often begin with the first name of the recipient (in all CAPS) if that can be determined from the 
recipient address.  The subject also often ends with a random tracking number.  The actual sender address is unique for 
each message and the sending email host indicates that a botnet is probably being used to launch these attacks.

We've recorded the following variations on sender name and subject line:

District Court
State Court
County Court
  Notice to Appear
  Notice to Appear in Court #00...
  Notice of Appearance in Court #00...

E-ZPass Manager
E-ZPass Support
E-ZPass Agent:
   Indebtedness for driving on toll road #00...
   Indebted for driving on toll road #00...
   Pay for driving on toll road, invoice #00...
   Payment for driving on toll road, invoice #00...

FedEx 2Day
FedEx 2Day A.M.
FedEx International Economy
FedEx International Ground
FedEx International MailService
FedEx International Next Flight
FedEx SmartPost
FedEx Standard Overnight
   Problem with parcel shipping, ID:00...
   Delivery Notification, ID 00...
   Problems with item delivery, n.00...
   We could not deliver your parcel, #00...
   Unable to deliver your item, #00...

The common thread is the .doc.js in a zip.  See if your email filters can strip the attachment or block the messages.  
Good luck!


Bob Bayn      SER 301      (435)797-2396    IT Security Team
Office of Information Technology,         Utah State University
    Do you know the "Skeptical Hover Technique" and
    how to tell where a web link really goes?  See:
    https://it.usu.edu/computer-security/computer-security-threats/articleID=23737
Previous By Date Next
Previous By Thread Next

Current thread: