Fake Secure Email Notification

Today I received an email saying I had a secure message waiting for me from Fiserv, Inc. ( a global provider of financial services technology), and I needed to download and open the attached zip file to view it. While it is possible Fiserv would want to communicate via a secure system, I have not ever done any business with Fiserv, so my scam flags were already set off.

Here is the body of the email message I received:

Subject: Fiserv Secure Email Notification – 2QTENYPDRS226IB

Message: “Encryption

You have received a secure message

Read your secure message by opening the attachment, Notification_2QTENYPDRS226IB.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.015.2496.

2000-2013 Fiserv Secure Systems, Inc. All rights reserved.”

Of course I did NOT open the attached zip file called:
Notification_2QTENYPDRS226IB.zip

This zip file most likely contains a virus that will execute when the zip directory is extracted onto the computer.

I did futher investigation into the email headers and found:

Received: from unknown (HELO smtpout.zixmail.net) (63.71.8.106) by zimx.onyxlight.net with SMTP; Tue, 2 Apr 2013 22:14:52 +0500

Now I can be pretty sure that this is a hoax email scam meant to only spread a computer virus onto an unsuspecting users computer.

I did a quick Google search about this particular email virus scam and found an interesting Threat Outbreak Alert from Cisco in Feburary 2013:

“Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain a secure message for the recipient. The text in the e-mail message attempts to convince the recipient to open the attachment and view the message. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

E-mail messages that are related to this threat (RuleID5286) may contain the following files:

Notification_K8XDS9NY.zip
EncryptedMessage.exe

The EncryptedMessage.exe file in the Notification_K8XDS9NY.zip attachment has a file size of 132,096 bytes. The MD5 checksum, which is a unique identifier of the executable, is the following string: 0xB20694AA43ED58B3550777DCF3ADB102

The following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: Fiserv Secure Email Notification – 232113549

Message Body:

Encryption
You have received a secure message
Read your secure message by opening the attachment, Notification_232113549.zip. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.fiserv.com to receive a mobile login URL.
If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.492.1202.
2000-2013 Fiserv Secure Systems, Inc. All rights reserved.

Cisco Security Intelligence Operations analysts examine real-world e-mail traffic data that is collected from over 100,000 contributing organizations worldwide. This data helps provide a range of information about and analysis of global e-mail security threats and trends. Cisco will continue to monitor this threat and automatically adapt systems to protect customers. This report will be updated if there are significant changes or if the risk to end users increases.

Cisco security appliances protect customers during the critical period between the first exploit of a virus outbreak and the release of vendor antivirus signatures. E-mail that is managed by Cisco and end users who are protected by Cisco Web Security Appliances will not be impacted by these attacks. Cisco security appliances are automatically updated to prevent both spam e-mail and hostile web URLs from being passed to the end user.”

BEWARE of emails that seem suspicious that try to get you to download and execute a file. It is highly unlikely any business would communicate with you in this fashion. If you have received an email like the one in this article and you downloaded the email attachment, bring your computer into South City Computer today for a virus scan and virus removal, as your computer is probably infected with a computer virus, and could be performing malicious or illegal activity without your knowledge.

// //
//