Malware claiming to come from Transport for London

I often get Transport for London information messages. I suspect a few million people in London do. But until just now, I’ve not seen it used as a malware distribution trick. Here’s what they look like:

Received: from [] ([])
	by  (8.14.4/8.14.4) with ESMTP id t5QAj0ns002218
	for ; Fri, 26 Jun 2015 11:45:01 +0100 (BST)
Date: Fri, 26 Jun 2015 12:45:04 +0200
Subject: Email from Transport for London
MIME-Version: 1.0
Importance: Normal
X-Priority: 3 (Normal)
X-Mailer: SAP Web Application Server 7.00
Content-Type: multipart/mixed;

Content-Disposition: inline
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: Email from Transport for London

Dear Customer,

Please open the attached file to view correspondence from Transport for

If the attachment is in DOC format you may need Adobe Acrobat Reader to
read or download this attachment.

Thank you for contacting Transport for London.

Business Operations
Customer Service Representative

This email has been scanned by the Symantec Email service.
For more information please visit

This email and any attachment are intended solely for the addressee, are s=
trictly confidential and may be legally privileged. If you are not the int=
ended recipient any reading, dissemination, copying or any other use or re=
liance is prohibited. If you have received this email in error please noti=
fy the sender immediately by email and then permanently delete the email.
Content-Disposition: attachment;
Content-Type: application/doc;
Content-Transfer-Encoding: base64
Content-Description: AP0210932630.doc


The file attachment is a dodgy Microsoft Word document, unknown to malware scanners, and in spite of the faulty English it’s unlikely that Bayesian analysis will think it odd, although the SPF records don’t match and the IP address is currently flagged as slightly dodgy with no reverse lookup. It belongs to Telekom Austria, and I suspect it’s NOT a botnet at this time.

If anyone else has received one, I’d be interested to know! I let TFL know, and, refreshingly, got through to the right people and they took the matter seriously. This is hardly ever the case, so my feelings for TFL have gone up several notches!

Leave a Reply

Your email address will not be published. Required fields are marked *