Alert: Fake Barclays email leads to banking trojan

This lovely little bit of maliciousness just arrived in my inbox, and isn't for a change, a phishing scam. Instead, it links to a banking trojan housed on Amazon's EC2 platform.

The image is the only thing displayed in the email, for those of you still keeping HTML email enabled (really should be using plain text only folks!), links to;

WARNING: FILE IS A TROJAN!!!!, NO CLICKITY ACTION UNLESS YOU KNOW WHAT YOU ARE DOING PLEASE!

hxxps://s3-us-west-2.amazonaws.com/ffg4t4/Co-operative_Safeguard.exe

MD5: 0f285aef13f5aa65487036019d5b6e38
SHA1: 9623e81b516995155d6584dd07bcfdc873f5a601
SHA256: baceb49fa853b536f460703f081c8ce05cd5a16403ad8b70de0a2cfe1a50d731

Sadly, only 3 detections are showing on VT for this at the time of writing

The headers for this one are;

Return-Path: <security@co-operative.co.uk><br> Delivered-To: <[REMOVED]><br> Received: from controller2.emailconfig.com ([109.68.33.145])<br>     by mailserver2.emailconfig.com (Dovecot) with LMTP id QQJhG2uGYFK0VgAAZ1oeBA<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:25 +0100<br> Return-Path: <security@co-operative.co.uk><br> Received: from mailserver2.emailconfig.com ([109.68.33.147])<br>     by controller2.emailconfig.com (Dovecot) with LMTP id 24VhE41tYFI2EwAAH46cUA<br>     ; Fri, 18 Oct 2013 07:19:25 +0100<br> X-Spam-Flag: YES<br> X-Spam-Score: 2.362<br> X-Spam-Level: **<br> X-Spam-Status: Yes, score=2.362 tagged_above=-9999 required=1.3<br>     tests=[BAYES_05=-0.5, HTML_IMAGE_ONLY_12=2.059, HTML_MESSAGE=0.001,<br>     HTML_SHORT_LINK_IMG_1=0.001, MPART_ALT_DIFF=0.79,<br>     RCVD_IN_DNSWL_NONE=-0.0001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001]<br>     autolearn=no<br> Received: from p3plsmtpa09-02.prod.phx3.secureserver.net (p3plsmtpa09-02.prod.phx3.secureserver.net [173.201.193.231])<br>     by mailserver2.emailconfig.com (Postfix) with ESMTP id A89304C050F<br>     for <[REMOVED]>; Fri, 18 Oct 2013 07:19:24 +0100 (BST)<br> Received: from xza3 ([168.61.24.93])<br>     by p3plsmtpa09-02.prod.phx3.secureserver.net with <br>     id eWKM1m00X20WsiG01WKPcm; Thu, 17 Oct 2013 23:19:23 -0700<br> x-spam-cmae: v=2.0 cv=atZs/1lV c=1 sm=1 p=miGKQwDS5fvxS68D:21<br> a=Gr/uMxE52D6c40cXNo6YQw==:17 a=268azE3ZuWQA:10 a=Eeb08FW8mmMA:10<br> a=EbKJ-zwr8X8A:10 a=M8Rd8IaqAAAA:8 a=g6oVcqyqMw4A:10 a=zSRKy_izAAAA:8<br> a=njwu2AU39EesGh8cbpQA:9 a=wPNLvfGTeEIA:10 a=WT9NgGiw_BEA:10<br> a=POmh68JVvv0A:10 a=w5t1Vozl0l2GyijLDsUA:9 a=_W_S_7VecoQA:10<br> a=Gr/uMxE52D6c40cXNo6YQw==:117<br> x-spam-account: ma844@vrnmtnef32982.com<br> x-spam-domain: vrnmtnef32982.com<br> From: "The Co-operative Bank" <security@co-operative.co.uk><br> Subject: The Co-operative Bank Security Module<br> To: [REMOVED]<br> Content-Type: multipart/alternative; boundary="uo4gwIAL9R7TXK=_WQ9msmDvC6vwWm595u"<br> MIME-Version: 1.0<br> Reply-To: security@co-operative.co.uk<br> Date: Fri, 18 Oct 2013 06:19:23 +0000<br> Message-Id: <20131018061921C32741A96F$1A61A32843@XZA><br> <br>