No, you haven’t hired a toilet. You’ve been sent malware

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

LooI work from home.

My home has a loo.

It’s a short distance to the loo from my home’s study, where I blog about security, play online chess, and tweet about Doctor Who.

I mean I blog, play chess, and tweet from the study. Not the loo.

Sign up to our free newsletter.
Security news, advice, and tips.

Honest.

Anyway… the point is this: I have no need to hire a toilet.

And that’s why I knew I should be wary of the email I received this morning.

Toilet hire email

Subject: GS Toilet Hire – Invoice (SI-523) for £60.00, due on 28/02/2016

Message body:

Good morning

Thank you for your business – we’re pleased to attach your invoice in PDF. Please bear in mind that if we are in the area the price is reduced to £15+vat per visit.

Full details, including payment terms, are included.
If you have any questions, please don’t hesitate to contact us.

Kind regards,

Linda Smith
Office, GS Toilet Hire

Direct enquiries
Glenn Johnson
07930 391 011

Attached file: Sales_Invoice_SI-523_GS Toilet Hire.pdf.zip

So, at this point you’re thinking… okay, I’ve been sent a ZIP archive file and inside the ZIP file there will be a boobytrapped PDF that will exploit some nasty Adobe vulnerability to infect my computer. Yeah? Well, not quite.

Because when I unzipped the file there wasn’t a PDF file inside, but a highly obfuscated JavaScript instead.

Obfuscated javascript

As security blogger Conrad Longmore describes (he like me received the malicious email, and has no need to hire a lavatory I imagine) the code downloads malware from the net, specifically a version of the Dridex banking Trojan.

Recent Dridex malware attacks have been launched via boobytrapped macros inside Word documents rather than JavaScript, so it’s interesting to see the bad guys take this particular approach.

Anti-virus scanner detection rates for this particular malware campaign (both the ZIP and the JS file) are currently quite low according to VirusTotal, although it is possible that other countermeasures running on your computer would protect you.

Of course, it’s worth remembering that the criminals behind this attack are not banking on you being in the habit of hiring toilets. Their hope is that you will be so shocked to receive an invoice for hiring a loo that you will click on the attachment without thinking and infect your computer.

Here are my two pieces of advice for you:

Firstly, always be suspicious of unsolicited emails which arrive out of the blue. Especially if they have a potentially dangerous file attached. If you weren’t expecting it, dump it.

And, number two, combine keeping your wits about you with an up-to-date layered defence to reduce the chances that you will be flushing your security down the pan.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “No, you haven’t hired a toilet. You’ve been sent malware”

  1. drsolly

    I got the same spam, and blogged about it

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.