Fake email “Your eBay Invoice is Ready”

MX Lab, http://www.mxlab.eu, started to intercept a new trojan distribution campaign by email with the subject “Your eBay Invoice is Ready”.

This email is send from the spoofed address “eBay <ebay@ebay.com>” and has the following body:

PLEASE DO NOT RESPOND – Emails to this address are not monitored or responded to.
Dear Customer,

Please open the attached file to view invoice.

If the attachment is in PDF format you may need Adobe Acrobat Reader to read or download this attachment. If you require Adobe Acrobat Reader this is available at no cost from the Adobe Website http://www.adobe.com

This email has been scanned by the Symantec Email Security.cloud service.

This email and any attachment are intended solely for the addressee, are strictly confidential and may be legally privileged. If you are not the intended recipient any reading, dissemination, copying or any other use or reliance is prohibited. If you have received this email in error please notify the sender immediately by email and then permanently delete the email.

The attached file ebay_591278156712819_291015.exe contains the 40 kB large file ebay_591278156712819_291015.zip.

The trojan is known as Trojan.A1832C543, Upatre-FAED!65BE13F85A27, TROJ_UPATRE.YYSPW or W32/Monlin.6773!tr.

At the time of writing, 6 of the 56 AV engines did detect the trojan at Virus Total.

Use the Virus Total for more detailed information.
SHA256: 311132c9f241d4f0be5982e1680751d3051b38291d0aaf2821e27520de356773

eBay information request masked as a phishing campaign

MX Lab, http://www.mxlab.eu, detected a  phishing campaign in the form of information requests by mail from eBay. The fake email is sent from the spoofed email address “eBay <awconfirm@aby.fr>” and has subjects in the format “Question sur l’ objet #2091501444 – Répondre maintenant”.

The body of the email lay out is typical eBay style and there is an request for more information regarding the delivery of the item when bought.

The embedded URLs, in this case hxxp://ns1.sjburns.com/bash/levante.fr/curvasa.html, leads to a web site that hosts the fake eBay login screen. The form is processed by the file ebay.php.

Afterwards, the user is redirected to the real eBay login screen with a secure https connection.

The main differences are: the disclaimer is written in French, a link to the eBay app on the top right and the Norton logo is correctly shown.

Email notification regarding your debt at the service BillMeLater contains email threath

MX Lab, http://www.mxlab.eu, is intercepting messages regarding a debt to the Bill Me Later service, a company that is acquired by eBay in 2008 and is now part of Paypal, that contains a security threath. These messages are sent with various subjects like:

Immediately pay off the debt! #id81490
We will file a charge against you. #id80119
You must immediately pay off the debt! #id40754

The email is send from the spoofed address “Ebay <customer@ebaybill.com>” and has the following body (a single image email):

The includeed URL will lead you to a host where a malicious payload is present. The file INVOICE_FORM.zip will be downloaded that contains the compressed file INVOICE_FORM.exe.

The trojan is known as Suspect.Trojan.Generic.FD-4, Trojan.Win32.Tobfy!IK, Trojan.Win32.Tobfy or HEUR:Trojan.Win32.Generic.

At the time of writing, 6 of the 42 AV engines did detect the trojan at Virus Total.

Virus Total permalink and SHA256: bd5e2868987d59cd24ed748cbcc489396eb782ddbf6e207395b0d80c5521b017.