I have been seeing a steady trickle of these Fake SagePay subscription emails over the last few days. Until today all copies I saw didn’t lead anywhere with the links already dead by the time I had received the email. Today, either I was much quicker or the downloads and the compromised mailing list have stayed active for longer.
These all come via legitimate mailing lists that are run by Mailchimp. I am sure none of the senders are knowingly sending these and it looks like the criminals must either be using stolen credentials to log in to the Mailchimp system & send this malspam or have found some vulnerability on the MailChimp system in order to do it. All the links in the email go to the MailChimp system and are then diverted to the malware site.
I am not sure how these mailing lists got the email address these were sent to. To the best of my knowledge the recipient’s email address was never signed up to any of the organisations or companies that have been misused in this malware campaign. The criminals must just be using a set of randomly chosen email addresses that they have obtained elsewhere. It is very unlikely that the recipient’s email addresses are genuinely on these mailing lists or have subscribed to them.
Today’s one has used oxfordshiremind.org.uk. A couple of days ago they came from The Sage Group <firstname.lastname@example.org>; on behalf of; The Sage Group <email@example.com> ( that one was down by the time I received the email)
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
To read the original article:https://myonlinesecurity.co.uk/fake-sagepay-subscription-emails-via-mailchimp-mailing-list-systems-delivering-gootkit-banking-trojan/