In the last 24 hours some malicious agent has sent out a massive spam run with a malware payload behind a link to “open your invoice”, “download details” or “open your payment details”. The emails seem to come from senders such as admin@rodridersracing.com, jesmond.zammit@sis.com.mt, reservas@golfplazaresort.com, info@indyatour.com, info@renotahoewintergames.org and info@villapoggetto.it, and the text is all very gappy.
The one thing that they all have in common is that if you hover over the link (do not click it!) they actually go to a malware file being hosted on Dropbox (we are attempting to contact Dropbox to alert them as we are writing this).
The general gist of the text in each one (provided here without the gaps, for ease of reading) is “Thanks for shopping with our company today! Your purchase will be processed shortly” or “Thank you for purchasing with us now! Your order is on process at present.”
How this really looked (the gappy version) was something like this:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
“T han ks for sho pping w ith our comp an y to day! Your purch ase will be processed shortly.”
Spammers put the gaps in there in the hopes that it will help their email to get around certain spam filters.
So, whatever you do, do not fall for this! If you have already clicked on the link in such an email, you should take the following steps:
1. Determine to where your browser downloaded the zip file, and immediately delete it. Hopefully your system isn’t set to automatically unzip any zip files you download, but if it is, look for the unzipped files as well.
2. Run your antivirus software (make sure it’s up to date).
3. Repeat 3 times: I will never click on a link sent to me in email again.
Here are some samples of this particular spam run:
From: info@indyatour.com
Thank you for purchas ing with us now! Your order is on process at present.
BIL LING DETAI LS
Purc hase Numb er: GAX547266177
Orde r Date: 7.08 2.10.2014
Pur chaser Em ail: info@dadsrights.org
Or der Total: 4398 US D
Get the inv o ice
Plea se hi t the link provided at the top to view mo re info about this issue.
Begin forwarded message:
From: info@indyatour.com
Thank you for purchas ing with us now! Your order is on process at present.
BIL LING DETAI LS
Purc hase Numb er: GAX547266177
Orde r Date: 7.08 2.10.2014
Pur chaser Em ail: info@dadsrights.org
Or der Total: 4398 US D
Get the inv o ice
Plea se hi t the link provided at the top to view mo re info about this issue.
From: info@renotahoewintergames.org
Th an ks for shopping with us now! Your order is on process at present.
BILLING INFO
Purch ase Nu mber: JUY841590397
Pu rchase Date: 11:23 2-Oct-2014
Purchas er Email : info@dadsrights.org
Amount: 4040 US D ollars
Open your pay ment det ails
Please visit the link provided at the top to s ee more info about this issue.
From: info@renotahoewintergames.org
Th an ks for shopping with us now! Your order is on process at present.
BILLING INFO
Purch ase Nu mber: JUY841590397
Pu rchase Date: 11:23 2-Oct-2014
Purchas er Email : info@dadsrights.org
Amount: 4040 US D ollars
Open your pay ment det ails
Please visit the link provided at the top to s ee more info about this issue.
From: info@villapoggetto.it
Thank you f or sh opping with us today! Your purch ase wi ll be pro cessed shortly.
BILLIN G INFORMATION
Order Num ber: EJB865157539
Purchase Date: 11:39 30-Sep-2014
Customer Email: info@dadsrights.org
Amount: 6911 US Dollars
Download the receipt
Please click the link given above to have more info about this issue.
From: info@villapoggetto.it
Thank you f or sh opping with us today! Your purch ase wi ll be pro cessed shortly.
BILLIN G INFORMATION
Order Num ber: EJB865157539
Purchase Date: 11:39 30-Sep-2014
Customer Email: info@dadsrights.org
Amount: 6911 US Dollars
Download the receipt
Please click the link given above to have more info about this issue.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
A new article in Pro Publica, an online investigative journal, reports that a tracking cookie — they call a “zombie cookie” that cannot be killed — that is used by by Facebook, Google, and “everyone else” by an advertising company called Turn. It, as a
tracking cookie cannot be deleted by Verizon. This is worthy of comment and alarm. JSL
john@islandiapools.com
To
Me
Jun 27
Thank you for purchasing with our company now! Your purchase is processing right now. You will get additional information via a separate email.
BILLING DETAILS
Purchase Number: E151828823
Purchase Date: 7:3806272014
Payment Method: VISA
Outright Purchase: 6412 USD
Please check the HTML file given below to have more information about this issue.
Here’s the one that I got.
from: hend@abmarshipping.com
?
Thanks for placing order with us today! Your purchase will be processed shortly.
Amount: 6055 USD
Please click the link given above to see more details about this issue.
Download your invoice
When I mouse over the link for “Download your invoice” it indeed points to a file being hosted on dropbox. Thank you for posting your research. It is a big help.
I get Spam from a number of place that I would consider to reputable companies–such as CVS Pharmacy — but I find that I get three or more per day, often on the same page or another following page, but the sender will often have an address very much like “info@dadsrights.com” and each of the two or three will have a different sender– although are sometimes adjacent to each other on the same page. I can get one hundred or more pieces of spam per day. (I have no connection to social media and I have never bought anything online.) I wish this could be explained in depth.