Threat Outbreak Alert: Fake American Express Payment Processing Notice E-mail Messages

Description

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a payment processing notification for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID5556) may contain any of the following files:
CD092898.001596138316.zip
CD092898.098209832098.exe
The CD092898.098209832098.exe file in the CD092898.001596138316.zip attachment has a file size of 135,680 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0x2B5F05AD871505D105B3A1582F09C5A4

The following text section is a sample of the e-mail message that is associated with this threat outbreak:
Subject: PAYVE - Remit file

Message Body:

A payment(s) to your company has been processed through the American Express Payment Network.
The remittance details for the payment(s) are attached (CD092898.001596138316.zip).The remittance file contains invoice information passed by your buyer.
Please contact your buyerfor additional information not available in the file. The funds associated with this payment will be deposited into your bank account
according to the terms of your American Express merchant agreement and may be combined with other American Express deposits.
For additional information about Deposits, Fees, or your American Express merchant agreement:
To view information on payments from another date on the website or if you are unable to open the attachment:
Go online to the website at hxxps://bip.americanexpress.com/bip/customer/login.do
You can also view PAYVE payment and invoice level details using My Merchant Account/Online Merchant Services.
For quick and easy enrollment, please have your American Express Merchant Number, bank account ABA (routing number)
and DDA (account number) on hand.
This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express.
Copyright 2010 American Express Company. All rights reserved Contact Customer Service: hxxps://www.americanexpress.com/messagecenter

Source: Cisco