Scammers come up with new ways to fool people into allowing them into systems or giving them money or funds every single day. They will employ whatever methods they can to trick people into thinking they are a legitimate business, a friend, or someone trying to help. A recent scam email targeted toward UK residents actually knew the victim’s name and home address and employed this as a way to attempt to fool them.
Overall, more people have become better at identifying scam emails, whether it be due to wrong email addresses, misspellings, or offers that seem too good to be true. But, in this recent email, the scammer purports themselves as a do-gooder who was mistakenly sent leaked information about you and is sending it to you out of the goodness of their hearts. This is of course only to hide their hidden ulterior motives. They provide the person’s home address as proof that they have information about them. They also attach a file titled “yoursurname.dot,” which supposedly contains the personal information, and provide a password for this file.
The trick of this scam is when first looking at it, it obviously appears to be a scam due to the spelling and grammatical errors, but it can then appear to have some truth to it, being that they know both your first and last name, as well as your exact address. It begins to make someone wonder what other data could be in the file and whether this is serious and should be opened.
The Contents of the Scam File
Once the person does happen to open the file, Word will prompt for a password, as the scammer had mentioned. It is a randomly chosen password for each person, and it has to be the one contained in the email that is used to open it. The goal of the scam at this point is to convince you to enable macros within Word, which is essentially code stored within the file. The way they get you to do this is quite clever, as the document will display a help page that appears to be legitimate, which tells you to click “enable editing” to see the contents, and allows it to execute its malicious instructions. At this point, it will download what appears to be a harmless GIF file, which is then decrypted by the macros, and a file containing executable code is then created. Once completed, the end result is a strain of bot or zombie malware. These types of malware will then call home to a command and control (C&C) server to obtain instructions of what to do next.
There are a couple other clever aspects of this malware as well. For instance, if there is an unexpected response when it attempts to download the fake GIF, it assumes there was a block from anti-virus or a firewall and attempts to get the person to disable these. And the other trick is to hide what has been done by stating the file is corrupted and cannot be displayed, which actually means it has installed its payload.
Protecting Your Organization with Threat Intelligence Feeds
There are a wide variety of various threats and attackers out there, and it is critical that an organization stay aware and alert of these. Cyber security has reached a point where it must be much more proactive and predictive than ever, which is where threat intelligence feeds provide the greatest assistance. A feed can relay intelligence in regard to various patterns and indicators of threats and actors around the web, which allows organizations to defend against them before they can launch an attack. Massive Alliance can help to bolster an organization’s cyber security with comprehensive threat intelligence feeds.