Fake “Department of Treasury Notice of Outstanding” Emails Carry Malware

Malware attached to fake Department of Treasury emails

Over the past weeks, malicious emails purporting to come from salesforce.com and entitled something like “Department of Treasury Notice of Outstanding” have been landing in inboxes. The notifications have nothing to do with salesforce.com or the Department of Treasury.

“Important please review and sign the attached document! We have received notification from the Department of the Treasury, Financial Management Service (FMS) that you have an outstanding obligation with the Federal Government that requires your immediate attention,” the fake emails read.

“In order to ensure this condition does not affect any planned contract or grant activity, please review and sign the attached document and if you are unable to understand the attached document please call FMS at 1-800-304-3107 to address this issue.”

Dynamoo’s Blog reports that the file that’s attached to these emails is called “FMS-Case-H6SYVMK704BX4AL.zip.” The archive file contains an executable named “FMS-Case-{_Case_DIG}.exe.”

This .exe file is actually a piece of malware that’s designed to download additional threats to the infected computer. Currently, over two dozen of the antivirus engines from VirusTotal can detect the threat.

This means that if your computer is running an updated antivirus, the malware will likely be neutralized before it can download anything else on the device.

However, the cybercriminals behind the campaign periodically change the piece of malware they attach to the fake emails. That’s why it’s important to avoid downloading and executing suspicious files received in unsolicited communications. Also, users should refrain from clicking on links contained in spam.

The easiest way to tell if an email is legitimate is to check the attachment. If the attached file is a .zip archive or a .exe, you’re most likely dealing with a cybercriminal scheme.

If you’re a victim of this attack, scan your computer with an updated antivirus to make sure it’s not infected.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s