Over the last 24-hours I’ve intercepted several emails containing malicious attachments in .zip files. There’s nothing odd about that, expect these are coming from ‘clean’ IP addresess.
Is this a new Botnet, spreading fast?
Yesterday the subject was “your mailbox has been deactivated” and they pretended to come from the IT support team at your domain name. If you don’t have an IT support team it’s a bit of a giveaway. The message continued:
We are contacting you in regards an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.
Today they’ve got the subject “Payment request from
The full text is:
We recorded a payment request from "
The payment is pending for the moment.
If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "
If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).
The interesting thing is that none of these have come from IP addresses that are currently listed as part of a botnet, known spam sources or anything. They’re completely clean. I’ve no proof that the two attacks are related, but I’m suspicious.
If anyone has more parts to the jigsaw, please share them with a comment.