Vodafone MMS spear phishing messages spreading

Cyber criminals are targeting users by spreading an email message claiming to be from the Vodafone MMS gateway. I had two of these land in my inbox last night. The subject in the email is “You have received a new message” and claims you have been sent a picture. Let’s take a further look at this nasty phishing email.

Looking at the content of the email you will see what looks like a legitimate sending mobile number from [email protected] but it isn’t. So don’t open the attachment! The messages contain an attached zip file “Vodafone_MMS.zip”. If you unzip the file (I suggest you don’t folks!) a file called “Vodafone_MMS.jpg.exe” will execute and install malware onto your PC. As of now, our friends at VirusTotal claim that only 8 from 44 anti-virus engines they use identifies this malware strain.

The file copies itself to C:\Documents and Settings \All Users\svchost.exe and then hides under SunJavaUpdateSched to launch when Windows first boots. The suspicious actions of this malware include copying itself to other folder locations on your PC; creating autorun records (this means if you remove the malware, it could re-populate i.e in your system folder location – also see next point); and injecting code in other Windows processes (can be tricky to remove all the malicious objects). Thanks to the guys at Comodo for this analysis.

My advice, if you are a Vodafone customer (as you are most likely to click this – social engineering isn’t a new trick used by cyber criminals), delete this email from your Windows PC and don’t forget to delete it from any mobile devices that are using to receive email on too!

Safe surfing folks!

This entry was posted in anti-virus, malware, mobile and tagged , . Bookmark the permalink.

9 Responses to Vodafone MMS spear phishing messages spreading

  1. Stephen Plesniak says:

    Does it affect Macs? What should I do if I have opened it on a mac? Thanks

  2. SD says:

    Thanks for the info! Had one of these this morning. Went onto Google, found your info – Sorted xx Thanks

  3. Sam says:

    So what should you do if you were daft enough to ……… Any advice welcome, thanks

    • Julian says:

      #Sam# Make sure you are using the latest virus updates and run a complete (full) scan of your Windows system. If that doesn’t find anything, then you might want to restore your Windows computer (i.e. Windows 7) to an earlier point in time first. Control Panel > All Control Panel Items> Recovery then click “Open System Restore” click “Next” and you should now see one or more automatic restore points.

  4. Rob Wilson says:

    I have a mms vodafone message and there’s a mobile number attached. The woman who answers the phone will not say who she is or who she works for other than the ‘message is not for me’?! My Blackberry informs that a virs has been removed.

  5. HSN says:

    I believe I click on the file and it’s on my mobile – what should I do?

  6. Sean says:

    I received one this morning and google brought up this page, so thank you for the information. I was immediately suspicious, but the email is very well done (correct formatting, HTTP links) that it will no doubt fool quite a few people.

Leave a Reply

Your email address will not be published. Required fields are marked *