Note the emails that pretend to be STU ERGO Hestia and Tomfis accounting office
This morning we received from our reader Konrad two messages that were delivered to him from the same IP address that connects to the mail server of two different entities. The fraudster with alleged invoices tries to impersonate the insurance company STU ERGO Hestia SA and the accounting office "Tomfis":
in the attachment we send correspondence regarding the return of the surplus.
Therefore, we ask you to submit an order specifying the form of payment enabling its return.
The fastest form of refund implementation is a bank transfer, so we encourage you to indicate the number of the bank account to which the transfer will be made.
The order can be submitted by phone by contacting the Ergo Hestia Infoline (available 24 hours on 801 107 107).
STU Ergo Hestia SA
And the second message:
in the attachment I am sending copies of payments for June taxes.
Accounting Office "Tomfis"
ul. Tatrzańska 2
In one of the attachments
FV_2045.zip there is a file
FV_2045.vbs impersonating the invoice in a very primitive way. Its launch triggers the wscript.exe system process for running script files - it connects to the
TCP/126.96.36.199 , but does not download any additional content. So it is an unsuccessful attempt to create a downloader (which is unlikely) or to identify victims before a larger campaign, and therefore we recommend caution when opening this type of suspicious invoices and installing reputable antivirus software.
We could not check the attachment on the second message because the file was blocked at the mail server provider level by anti-virus scanning, so the recipient has secured the content.
The message masquerading as an accounting office is sent from the.pl.pl server:
alt201.rev.netart.pl ([188.8.131.52]: 55503)
The message masquerading under STU Ergo Hestia is sent from the server:
The spammer connects to the above mail servers from the following address:
Attachment hook FV_2045.zip after unpacking (the attachment from the second message has been blocked by anti-spam integrated with the mail server):
Add new comment
Learn more about our offer
We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.