Fake invoices from well-known companies in circulation

G DATA Security-Solutions protect against disguised malware

06/03/2014 | Bochum 

Numerous Internet users are currently being sent fake invoices via email from well-known telecommunications and banking companies, including Deutsche Telekom, Vodafone, O2, UBS, Sparkasse, Volksbank and more. Cyber criminals are using the emails to try to spread malware onto computers. In the messages, the fraudsters encourage recipients to settle supposed monthly payments. Recipients are asked to click on a link or open an attachment to obtain further information. What actually happens is that a malware file is transferred to the recipient's computer. The intention of the banking Trojans "Swatbanker" and "Bebloh" is to spy on and plunder the bank accounts of unsuspecting customers. The BankGuard technology integrated into all G DATA security solutions fended off the malware as soon as it showed up.


Invoice scam

The fraudsters are trying to use the fake invoices to get the email recipients to click on a link or open the attachment. But lurking behind this are the banking Trojans Swatbanker and Bebloh.

Users can recognise the email as fake from the fact that there is no personal salutation. In the case of the Deutsche Telekom invoice, there is no individual account number. The fake email should be deleted immediately. Recipients who are not sure whether the invoice is fake should ask the relevant company if they have an outstanding invoice.

If a recipient has already clicked on the download link or the attachment and allowed the malware to get into their computer, they should immediately deploy reliable, comprehensive antivirus software.


G DATA security solutions detect the malware

The link in the email leads to an .exe file disguised as a PDF document. 

Once run, the Swatbanker banking Trojan embeds itself on the victim's PC. The deceitful thing about the scam is that unsuspecting recipients are likely to go straight to their online banking system to transfer the amount. The Trojan will then immediately record the account details.

The first wave of the current spam emails emerged in mid-May with supposed invoices from Deutsche Telekom and Vodafone. Since then, other companies such as Volksbank and Sparkasse have become involved. The attackers change the URL formula and the variants of the malware being used to make the attacks harder for AV solutions and potential victims to fend off.

The first emails contained a link to the malware, but now the emails are being sent with an attachment in .zip format. A new malware type called Bebloh is now being used as well, mainly in the form of an email attachment.

G DATA SecurityLabs assume that different groups are behind the email attacks.

The BankGuard technology integrated into all G DATA security solutions fended off the malware as soon as it showed up.


Use a comprehensive security solution

Use of a comprehensive security solution is crucial for protection against dangerous emails and other malware in the future. The security software should be equipped with a malware scanner, firewall, and web, exploit and real-time protection. Also recommended is a spam filter for protection against unwanted email.


Further tips and a deeper analysis of the malware can be found at the G DATA SecurityBlog: https://blog.gdatasoftware.com/blog/article/massive-spam-campaign-returns-cridex-successor-swatbanker-is-spread.html

Christian Lueg