Update 2014-01-10: This malicious campaign has expanded to include emails that masquerade as bills from NTTCable and from VolksbankU
Update 2014-01-21: We’ve updated the chart to include the Vodafon emails and latest URL activity
English language has emerged as the language of choice for international commerce. Since people throughout the world are used to receiving English language emails, spammers have
also adopted the English language as the means of getting their message to large numbers of international recipients. However, spam messages that are written in a local language and that reference local companies can be particularly enticing for recipients to open because they do not expect malicious messages to be written in anything other than English. Cisco has observed and blocked a large number of malicious spam messages written in German language masquerading as phone billing statements. Initially the spam run masqueraded as Telekom Deutschland, with subsequent messages masquerading as messages from NTTCable and Volksbank.
Cisco TRAC was able to locate what appears to be a single attack attempt, likely a test run, on 2013-12-16 however the majority of the attack started on 2014-01-05 and is ongoing. The malware is currently targeting users as depicted in the heap map below. The vast majority of attacks are occurring in Germany. It is reported that the end goal of this malware is to harvest credentials.
This heat-map represents the malicious URL activity we have detected and blocked: