Beware of a new Vodafone email scam knocking around Ireland

3 Aug 2017

Image: Gustavo Frazao/Shutterstock

ESET has discovered a new email scam doing the rounds that tricks Vodafone customers into downloading the dreaded Nemucod trojan.

Another day, another email scam that uses a bit of social engineering to attract prey.

This time it’s Vodafone customers in the firing line, with a fake bill being sent around with the Nemucod trojan hidden at the back.

Future Human

Ireland is one of the most successful hunting grounds for Nemucod, with Eset finding a 50.42pc detection rate in the country.

Considering the global average is just 15.82pc, that’s quite the figure.


Nemucod is used for further downloading of all kinds of malware, ranging from ransomware to backdoors and banking trojans.

In this instance, the scam targets Microsoft users in particular, and is relatively well disguised as the virus is hidden in plain sight.

Clicking on the ‘Click here to view your bill’ link downloads a ZIP file called ‘Vodafone’, which in turn contains a JavaScript file called ‘Vodafone bill.js’.

Vodafone scam. Image: Eset Ireland

Vodafone scam. Image: Eset Ireland

As ESET’s Urban Schrott and Ciaran McHale write: “Because most Windows users have file extensions turned off by default, many fail to spot this is a JavaScript file, one of the very common vectors for the cyber-criminals to deliver their malicious payloads.”

“The code is heavily obfuscated but, once activated, it proceeds to download the Nemucod trojan, which is used for further downloading all kinds of malware, ranging from ransomware to backdoors and banking trojans.”

ESET noted a similar email scam earlier this summer, where Vodafone was substituted with BT.

Caution, everyone

“ESET Ireland urges caution when receiving emails like these and avoiding clicking on unverified links or opening attachments downloaded from them,” said the duo.

Vodafone also offers several online security tips on its website, which can help spot cyber-criminal activity and prevent people falling victim to it.

The Nemucod ransomware is one of the most malicious around and accounts for high percentages of viruses in many nations across Europe, North America and Asia – but Ireland is by far one of the most affected.

Discovered towards the end of 2015, Nemucod acts as a trojan, using infected attachments sent to a person and, when opened, encrypts the victims’ files on their PCs.

Whoever has instigated the ransomware will then demand payment for the return of the files, typically done through bitcoin transactions, where there is little to no traceability.

To make matters worse, the ransomware typically used is either TeslaCrypt or Locky, which both have encryption standards similar to those used by financial institutions when securing online payments.

Gordon Hunt was a journalist with Silicon Republic