Home Malware “Last Few Months Utility Bills” Emails Contain Malware

“Last Few Months Utility Bills” Emails Contain Malware

by Brett M. Christensen

Emails claim that an attached file contains copies of some utility bills that you have lost over the last few months.

Brief Analysis:
The emails are not legitimate business messages and the attachments do not contain any lost utility bills. Instead, the attachments contain malicious JavaScript files that, if opened, can download and install ransomware or other types of malware.

Subject: copies

Hi [name lifted from email address], [name removed] told me you have lost some of the last few months’ utility bills.
So, I am sending to you the copies saved in my computer. Let me know if I sent the right receipts.

Best Regards,
[name removed]

Detailed Analysis:
Emails that supposedly include copies of lost utility bills are currently hitting inboxes. The emails claim that someone told the sender that you had lost some utility bills from the last few months so he or she has attached saved copies of the missing bills.

However, the emails are not legitimate. If you open the .zip file attached to the emails, you will find that it contains a file with the extension “.js” (JavaScript). If you then click on this .js file,  malicious JavaScript will download and install malware on your computer.  The exact nature of this malware may vary in different incarnations of the emails. However, JavaScript is often used to install Locky ransomware. Once installed, this malware can encrypt all of the important files on your computer and then demand that you pay a fee to online criminals to receive the decryption key.

Malicious JavaScript has also been used to install trojans that can steal your Internet banking passwords and other sensitive information.

Both the name of the sender and the name of the person who supposedly told the sender about the missing utility bills appear to be randomly selected and will vary in different versions of the malware emails.

The emails attempt to personalise the messages by using the part of your email address before the “@” symbol as a greeting. This will often be the recipient’s name. So, it may appear at first glance that the sender has personally greeted the recipient and must know him or her.

Like many other recent malware attacks, this one seems to be deliberately targeting businesses and office staff. The criminals no doubt hope that at least a few busy office staff who receive the messages will open the attached file without due care and attention.

Malware on Binary Code Graphic

Last updated: September 7, 2016
First published: September 7, 2016
By Brett M. Christensen
About Hoax-Slayer

xxxxxxx told me you have lost some of the last few months’ utility bills malspam
Locky” ransomware – what you need to know
Malware Threat Articles


Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,