Fake SagePay Subscription emails via MailChimp mailing list systems delivering Gootkit Banking trojan

Haythem Elmir

I have been seeing a steady trickle of these Fake SagePay subscription emails over the last few days. Until today all copies I saw didn’t lead anywhere with the links already dead by the time I had received the email. Today, either I was much quicker or the downloads and the compromised mailing list have stayed active for longer.

An email with the subject of Sage Soft Subsc pretending to come from  Oxfordshire Sage Support  with a link in email body which downloads a zip file containing a JavaScript file which in turn downloads Gootkit banking trojan

These all come via legitimate mailing lists that are run by Mailchimp. I am sure none of the senders are knowingly sending these and it looks like the criminals must either be using stolen credentials to log in to the Mailchimp system & send this malspam or have found some vulnerability on the MailChimp system in order to do it. All the links in the email go to the MailChimp system and are then diverted to the malware site.

I am not sure how these mailing lists got the email address these were sent to. To the best of my knowledge the recipient’s email address was never signed up to any of the organisations or companies that have been misused in this malware campaign. The criminals must just be using a set of randomly chosen email addresses that they have obtained elsewhere. It is very unlikely that the recipient’s email addresses  are genuinely on these mailing lists or have subscribed to them.

Today’s one has used oxfordshiremind.org.uk. A couple of days ago they came from The Sage Group <john=jlstudios.co.uk@mail165.sea51.mcsv.net>; on behalf of; The Sage Group <john@jlstudios.co.uk> ( that one was down by the time I received the email)

They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

To read the original article:https://myonlinesecurity.co.uk/fake-sagepay-subscription-emails-via-mailchimp-mailing-list-systems-delivering-gootkit-banking-trojan/

Laisser un commentaire

Next Post

Researchers Uncover Government-Sponsored Mobile Hacking Group Operating Since 2012

A global mobile espionage campaign collecting a trove of sensitive personal information from victims since at least 2012 has accidentally revealed itself—thanks to an exposed server on the open internet. It’s one of the first known examples of a successful large-scale hacking operation of mobile phones rather than computers. The […]