Virus alert 4 October - Invoice requests with referrals

[id : 482] [05/10/2017] [hits : 72664]


We advise users to be extremely vigilant with scanned documents or (fake) invoice/payment requests, etc. that look like PDF's or normal documents (Word, Excel,...), even when they appear to have been sent from a address.

There seems to be a campaign ongoing to send emails which contain referrals to addresses of colleagues and which seemingly originate from a address.

However, all these messages are fake and designed to mislead the recipients (in and out of the university), to lure them into responding to the message, opening the downloaded document or to make a (fraudulent) payment to a third party.

We therefore advise users to be extremely vigilant with scanned documents or (fake) invoice/payment requests, etc. that look like PDF's or normal documents (Word, Excel,...), even when they appear to have been sent from a address.

Possible payloads are viruses and malware, among which cryptolockers. A cryptolocker will encrypt all documents on the affected computer and attached drives (network or other), thus rendering those documents useless. Be extremely vigilant when receiving messages with attachments, from any source. DO NOT OPEN THESE ATTACHMENTS!

To mislead users, the sender is structured as follows

From: Firstname.Lastname@ < some_other_address >

The recipient of the message will have the impression that the message was sent from Firstname.Lastname@ (which is also used in the signature of the message) but in reality, the real sender is the address <some_other_address>.

Therefore, be extremely vigilant upon receiving messages with attachments, in particular if you use a computer with Windows.

If you have any doubt about a message with an attachment you have received, contact the ICT-Helpdesk.

If you are locked out of your computer or your documents have become inaccessible, immediately contact the ICT-Helpdesk. Do not try to fix the problem yourself or to restore your files from your backup, or you risk losing your backup as well.

Alert of 4 October - Frage zur Rechnung

From: email@ <>
Sent: Wednesday, October 04, 2017 5:39 AM
To: Name <Email>
Subject: Frage zur Rechnung<i>

Examples of recent or notable cases:

From: Money Market <>
Subject: Invoice
Date: Mon, 31 Jul 2017 08:12:01 -0700

From: "Laura De Clercq" <>
Subject: C'est votre facture
Date: Wed, 3 May 2017 22:19:57 +0200

From: "Julien Stevens" <>
Subject: Votre facture
Date: Mon, 24 Apr 2017 19:28:22 +0200

Facture d'achat.

Merci de votre collaboration,
Julien Stevens
From: ASAS <>
Subject: Final Warning - Over Due Payment - Urgent Reminder!
Date: Fri, 21 Apr 2017 05:46:55 +0100
Attachment =>.gz (contains.exe file with malware) => DO NOT OPEN

Dear Sir,
Please note that we cannot continue to contact you concerning our over
due payment.
We need our money and very soon, we will invite the police to your
office for arrest.
Find attached documents which you signed and kindy selttle your debts as
soon as possible.

From: "Bandenconcurrent" <>
Subject: Openstaande factuur
Date: Wed, 4 Jan 2017 00:30:13 +0100 (CET)

Subject: Attached Image
Date: 30 November 2016 at 10:27:24 GMT+1
Virus type: Trojan Downloader (macro virus)

From: Laetitia Dehaudt <>
Subject: Facture 521-9389231
Date: 30 Sep 2016 10:03:01 CEST
Virus Type: New cryptolocker variant

From: "Proximus" <>
Subject: Uw domiciliëring van de maand juli is mislukt
Date: Tue, 23 Aug 2016 06:08:44 -0700

From: Intrum Justitia <>
Subject: Uw Factuur
Date: Fri, 6 May 2016 07:56:34 +0000 (UTC)

From: KPN <>
Subject: Uw factuur
Date: Thu, 5 May 2016 10:37:11 +0200 (CEST)

From: CAS <>
Subject: le calcul des cotisations 8504 13483 - TV
Date: 26 Feb 2016 10:34:49 -0000

From: Scarlet klantendienst <>
Subject: Rekening - 05/2015
Date: 27 May 2015

About Ransomware viruses

Ransomware viruses are computer viruses (trojans) that, upon execution, will lock out the user from his/her computer, or, even worse, encrypt all documents on the computer and mounted shares, making those documents useless.

The virus will display a message on the computer that one should transfer a certain amount of money in order to regain access to the computer or documents. There is however no guarantee that this will actually be the case.

Example of a ransomware message

Example of a ransomware message

From: Intrum Justitia <>
To: Email address
Subject: Openstaande Factuur.
Attachment:, 722.0 KBytes

Behandeld door: TransIP Domein Registratie
Direct tel. nr.: 088 - 452 71 31

Openstaande vordering, BELANGRIJK!

Geachte mevrouw/heer.

In de bijgevoegde factuur verwijzen wij u naar de eerder ontvangen herinnering(en). Wij stellen u hierbij de gelegenheid om het verschuldigde bedrag van €93,50 met rente binnen 14 dagen te voldoen op ons IBAN-rekeningnummer NL50ABNA0471467210 t.n.v. St. Derdengeleden Intrum Justitia Nederland B.V. onder vermelding van het referentienummer.

Blijft betaling uit, dan zijn wij genoodzaakt cliënt te adviseren om over te gaan tot het opstarten van een gerechtelijke procedure. De kosten die hieruit voortvloeien zullen geheel voor uw rekening komen. Voor directe betaling en meer informatie over deze vordering gaat u naar onze website U kunt hiervoor de gegevens gebruiken die op de factuur staan vermeld. U kunt hier ook terecht voor overige vragen.


Intrum Justitia

De buitengerechtelijke incassokosten kunnen zijn verhoogd met btw in het geval dat de schuldeiser een niet
btw-plichtige ondernemer is in de zin van art. 7 en 11 van de Wet op de omzetbelasting 1968

Intrum Justitia Nederland BV Handelend onder de naam Intrum Justitia
Postbos 84096 2508 AB Den Haag H.R. Den Haag 27134582
BTW nr. NL008488666B01 Lid van NVI

Liens intéressants

Ransomware (WiKi)
Peter Van Rossem -

Attached files are frequently sent as file which in turn contains an executable file (extensions are - but not limited to -.exe,.scr,.lnk,.cab,...) that installs the virus. Do not run this file!

Other faked senders include Wehkamp Nederland and Scarlet (Belgian Internet provider) with so-called order confirmations or invoices. DO NOT OPEN THE ATTACHMENTS!

: :: ::: ::::