Email scams and phishing attacks are becoming more complex and harder to detect every day. Cyber-criminals are getting smarter and using new ways to trick their victims. One of the latest techniques is just downright nasty.
This new phishing attack vector was reported this week by Barkly. Users at one of their customers began receiving emails from known contacts they had at other organizations. These emails appeared to be a reply to an existing email threat, where users of the two organizations had been emailing back and forth.
As you can see, the message in the email was short – not giving the user a lot of chances for red flags. And when it is coming from a known source, it is even harder to detect! The goal was to have the end user open the Word attachment and follow the instructions to enable macros.
So what happened if they fell for it?
If the user was unlucky enough to have opened the attachment and enabled macros, then they were infected with a variant of Ursnif, one of the most active and widespread banking trojans in the world. Investigation into the attack showed that the Word document contained a macro that launched PowerShell when activated which in turn downloaded the Ursnif payload.
Ursnif then steals credentials of the victim through a variety of ways.
And to make matters worse, the cyber criminals then use the email accounts of the victims to spread the infection by sending out more emails. Yikes!
So what can you do about it?
- Make sure you have a strong antivirus/spam filter in place to stop these emails from even reaching your users’ inboxes.
- Disable MS Office macros network-wide if possible.
- Configure the endpoint security software on the workstation to catch malicious attachments.
- Check your firewall rules to make sure this type of attachment is flagged as potentially dangerous.
- Educate your end users about these newest attacks.
As always – THINK BEFORE YOU CLICK!!