“Payment request from” emails carry dangerous payload

Graham Cluley
Graham Cluley
@[email protected]

Cybercriminals are up to their dirty tricks again, this time spamming out en masse a dangerous email carrying a Trojan horse.

The emails pretend to come from the “Customer Support” division of an online banking organisation and be in connection to payments requested from a variety of different organisations, using the subject line:

payment request from "[company name]"

Here’s just a small sample of the possible subject lines:

Sign up to our free newsletter.
Security news, advice, and tips.

Payment request email contains malware

Here’s the text of a typical email, but remember that the company’s name and the amount of money that they are requesting payment for can vary:

We recorded a payment request from "Time Warner Cable" to enable the charge of $66.10 on your account.

The payment is pending for the moment.

If you made this transaction or if you just authorize this payment, please ignore or remove this email message. The transaction will be shown on your monthly statement as "Time Warner Cable".

If you didn't make this payment and would like to decline it, please download and install the transaction inspector module (attached to this letter).

Attached to the email is a file called module.zip.

Payment request malware email example

Sophos proactively detects the attached malware as the Mal/EncPk-LP Trojan horse.

It’s clear that the hackers behind this attack are deliberately using a wide variety of company names and different payment amounts to try and make it harder to spread a warning about this threat. Remember to always be suspicious of unsolicited attachments.

If you panic and open the attachment thinking that you may be being billed in error, you could find that you have made a costly mistake.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.