MasterCard spam leads to Fake AV

We’re seeing a significant “spam attached malware” campaign in the past 48 hours with different attachment MD5s.


The username portion of the email sender is random, using a classic misspelling that has been consistent. Usernames are a single word, followed by a “.”, “_” or “-“, followed by a two or three digit number. The most popular words (by far) are “manager” and “support”, but we’ve also seen “admin”, “administration”, “alerts”, “cunsumer”, “delivery”, “e-file”, “finance”, “frboard-webannouncements”, “govdelivery”, “information”, “inspector”, “news”, “news-alerts”, “no-reply”, “protection”, “public”, “report”, “service”, “stats”, “subscriber”, “subscriptions”, “usttb” and “webannouncements”.

The attached file is actually named as a “.com” using a random seeming filename in the format “id” followed by a 5-7 digit number (such as

When the file is launched, it attempts to make a connection with any of a long list of domains that are probably made by a “DGA” or “Domain Generation Algorithm”. It’s likely that at different times or days this list would be different. The purpose of the malware seems to be just another fake anti-virus product. Here’s the scan that kicked off:

After the scan, as expected, I was constantly reminded of the grave danger I was in:

By using Quick Heal Total security, such fraudulent emails get tagged as spam and users stay protected.
Quick Heal also detects malicious attachments and the installed rogueware files.

Ranjeet Menon

Ranjeet Menon

No Comments, Be The First!

Your email address will not be published.