Virus Sent to 123-reg Domain Name Customers

Customers and former customers of web domain registrar 123-reg, a trading name of Webfusion, have received spam-laden emails that appear to be invoices from the company. Per the business’ own website, 123-reg is the UK’s largest web domain registrar, having registered 3 million domain names.

Details are scant. Callers to 123-reg’s customer support line are played an automated recording of a message explaining that the email attachments contain a virus, and should not be opened. Visitors to the website are presented no information on their home page, and have to follow a link describing the ‘service status’ to discover this message:

“Copy of your invoice” email from 123-reg

Created: 12 May 2015, 11:01
Last Updated: —

It has been brought to our attention that invoice emails with the subject line: “Copy of your 123-reg invoice (123-015309323)” containing a .doc attachment have been sent out claiming to be from 123-reg.

We can confirm that these emails are not from 123-reg and the attachment does contain a virus.

For customers receiving these emails to their 123-reg email address, our anti-virus has detected and removed the virus. Most popular email providers should do the same; nevertheless, we strongly advise that you delete the email immediately without opening.

For future reference, invoices and receipts from 123-reg are sent out in pdf format.

Popular security website My Online Security has more details.

Copy of your 123-reg invoice ( 123-015309323 ) pretending to come from no-reply@123-reg.co.uk with a malicious word doc or Excel XLS spreadsheet attachment is another one from the current bot runs which try to download various Trojans and password stealers especially banking credential stealers, which may include cridex, dridex, dyreza and various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.

123-reg has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.

The emails are impressive. The English is flawless, and the design shows an attention to detail. The 123-reg logo pictured above is a magnified version of the one embedded in the email.

All reports of this email attack date to within the last few hours. The attack is new, and it is unclear how many will ultimately receive one of these emails and fall victim to it. However, recipients should be safe if they have not enabled macros in Windows Office, or if they use a different operating system.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.