Keyboard equipped with a red ransomware euro button.

Eurocentric Ransomware Spam in Circulation

Someone is attempting to Malware-bait customers of companies sprinkled throughout Europe, specifically those dealing with energy services and postal deliveries. As with most spam campaigns,  it’s likely that the emails are being sent out on a random basis, with the scammers banking on some of them ending up with people making use of the organisations mentioned in the missives.

A few days ago, Posten Norge was the subject of “A package is waiting for you” mails aimed at users of the service. Those emails directed curious individuals to a fake Posten Norge site, redirecting any visitors not sitting behind a Norwegian IP to Google. The fake site asked for a CAPTCHA to be entered before offering up its Malware file, which – if run – would attempt to download TorrentLocker.

Here’s a similar escapade, using the same file (with a different name), this time targeting customers of Italian gas & electricity company Enel. We haven’t seen an email at time of writing with regards the below example, but it seems improbable that the first step of this scam doesn’t involve fake emails. The URL in question is

enel-bolletta24(dot)net/t93hri(dot)php?id

As with the Norway-centric scam, the scammers have bouncers on their virtual doors – if you’re not running an Italian IP, you’re not coming in. Have fun with that Google redirect.

For anybody else given exclusive access (which is, as it turns out, the worst kind of exclusive access) they’ll see the below fake Enel page:

Fake power portal

Just above the CAPTCHA, the text reads as follows:

To download information on your electricity bill, please enter the number shown in the image below

Once again, the people behind these fake service pages are locking down their scams with a CAPTCHA. If you just try to bypass the page without typing anything, or typing in the wrong number, nothing will happen. Apparently they really like the number 26974.

CAPTCHA file download

The .zip contains what appears to be a PDF named bolletta_299965, “Bolletta” meaning “Bill”.

Fake PDF

Unfortunately for the person about to open the file, this isn’t a harmless PDF bill – we have another example of a rogue .SCR file. As with the fake postal site, the Malware tries to call a C&C to grab the Ransomware component. The C&C appears to be offline at time of writing, but could just as easily come back (and depending on how everything is put together behind the scenes, losing your C&C is not really a big deal anymore).

Users of Malwarebytes Anti-Malware will find we detect this file as Trojan.Inject.

Whether we’re dealing with missed deliveries or energy bills, it pays to ensure what you’ve been sent is the real deal – it’s likely that there are more mails out there targeting a variety of potential victims. If in doubt, contact the company you’re dealing with directly – and make sure you’re backing up your files.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.