This morning, I received several e-mails with the subject Email from Transport of London. The attacker even picked a plausible From address with noresponse@cclondon.com. This domain is used by Transport of London for information about Londonscongestion charge.
The domain does have an SPF record defined, making it easy to reject the emails as spam:
v=spf1 include:spf.messagelabs.com -all
This SPF recordwould allow all hosts listed in Messagelabs SPF record to send e-mail on behalf of cclondon.com.Interestingly, the e-mail seems to include a fake Received header, listing a cclondon.com"> "> "> "> Mon, 28 Sep 2015 10:39:59 GMT@*****>
Since my server (mail.dshield.org)states that it received the e-mail directly from 77.27.161.151, an apparently home user system, I doubt the second Received header is real.
These emails do not only target Londoners, but appear to also use Subject lines like:
Toll road bill notice
Outstanding toll road payment notice
The London Transport one was however the only one I saw that played the trick with a valid looking From address.
Sadly, anti-virus coverage for the obviously malicious attachment is dismal with 4 out of 55 on Virustotal (F-Secure being the only name brand" />
(click on the image for a full size view)
[1]https://www.virustotal.com/en/file/80237fc10155567a68163bfd5bbf0afc5cb521bfdd1d486e1c3682083b5f61f8/analysis/1443436044/
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.