BP Chargemaster's Pulse rebrand let crims send IcedID banking trojan from formerly legit mailboxes

F-Secure confirms nature of email nasty to El Reg

BP Chargemaster, purveyors of sockets for electric vehicles, seemingly had its email domain hijacked by criminals who used formerly legitimate addresses to send banking trojans to customers.

Malware-laden emails were sent from corporate email addresses earlier this month – and their attachments included the IcedID credential-stealing malware.

It appears that a corporate mail server may have been left unattended after BP Chargemaster rebranded as BP Pulse at the start of December 2020. During the rebrand, the BP Chargemaster and Polar websites were replaced by bppulse.co.uk, "to avoid any confusion".

Register reader Matt received some emails from BP Chargemaster which he was certain didn't come from the company.

"I last dealt with BP Chargemaster 2 years ago in relation to fitting a chargepoint for an electric car," Matt told us, showing us copies of legitimate correspondence with an @bpchargemaster[.]com email address.

Yet when he began hearing from that sender again, the emails he received contained text such as "Hello. Attached below requires your attention," urging Matt to open an attached .zip file. Another read: "Please look at the file attached. It must be interesting." Both messages appeared to have been sent from bpchargemaster[.]com email addresses, and Matt reckoned at the time that they had passed Sender Policy Framework (SPF) validation.

We asked F-Secure to have a look at the malicious attachment sent to Matt and the firm's Calvin Gan, senior manager in its Tactical Defence Unit, told The Register: "The email is a malspam campaign spreading a new version of the IcedID banking trojan. The zip file contains a malicious Excel spreadsheet which uses the Excel 4.0 macro feature to hide its code."

He added that infosec outfit Binary Defense has a recent writeup of the trojan's latest evolution. The company found that when successfully deployed, the trojan dropped Cobalt Strike beacons and crooks then mapped out the network where the nasty had landed, stating: "IcedID is a formidable threat that makes analysis complex and challenging."

It was first uncovered in 2017 by IBM's X-Force security division, as we reported at the time.

Lost control of the domain

BP Chargemaster publicly admitted that it had lost control of the bpchargemaster[.]com domain, although it appears to be showing legitimate BP content at the time of writing. A later message from BP Chargemaster (and not the scammers), forwarded to us by Reg reader John said:

We are aware that a number of people have received emails that appear to have come from a bp Chargemaster email address. These have not been sent by us.

We no longer actively use email addresses that end in @bpchargemaster.com.

Please treat any emails you may receive from this domain as suspicious.

BP Chargemaster also advised people receiving those emails not to open them or the attachments and said it had informed the Information Commissioner's Office, while it carries out "a detailed investigation".

When asked for comment, a BP Chargemaster spokesman responded with a statement substantially identical to the email sent to customers, and did not elaborate on what had happened inside BP that caused the compromise of its email infrastructure.

F-Secure's Gan commented: "We cannot confirm if BP Chargemaster's infrastructure was compromised but it does look like [their] admittance of no longer actively using the mail address indicates that the mail server could be retired or hidden from the public."

The incident may have some similarities with one affecting London cloud firm Datrix, whose email systems were nearly used to send "several thousand" malicious messages after a staffer fat-fingeredly opened a phishing email back in 2019.

The Information Commissioner's Office was informed of the incident. ®

Similar topics

Broader topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022