Spoofed Companies House Secure Form Contains Banking Trojan

The following is an example of an email containing the subject of “Companies House secure form” pretending to come from Companies House but actually from a spammer.  The email attachment contains a banking trojan.  The domain name is also new, and only registered in December 2017.

They are using email addresses and subjects that will scare or entice a user to read the email and open the attachment.

Some of the message details state “This message has been generated by Companies House Secure Form” and “Note: Attached documents are encrypted with a unique Private Key” see below image for the full message text.

The email appears to be from [email protected]

It contains an attachment called Secure_Form.doc this file contains a banking trojan.

Domain Name Information

Domain: governmentforms.org
Registrar: Todaynic.com, Inc.
Registration Date: 2017-12-20
Expiration Date: 2018-12-20
Updated Date: 2017-12-20
Status: clientTransferProhibited serverTransferProhibited
Name Servers:

Subdomains linked to this include (they contain malware do not visit them !) :-

  • mta5.companieshouse.governmentforms.org
  • mta11.companieshouse.governmentforms.org

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: