Phishing Scenario: Malicious email using current events to push malware
/Popular topics (current events) making headlines in the media will often be used by criminals to push malware. Criminals don’t favor any one topic, so you must assume all topics could potentially be used maliciously. Whether it is a story on a recent natural disaster, political unrest, social issue, famous person, or a company either being successful or having issues, no topics are off limits. This example uses Greta Thunberg’s fame, the fact she was named the Person of the Year for Time magazine, climate change and the recent wave of protests (demonstrations) to push malware. We will go over the example email sent to victims to look at the various warning signs it contained to hopefully protect you and your family from this, and future, attacks.
Have mentioned in several places on this site how criminals will use current events to push malware and this is a perfect example. Here is the email several victims received (according to the Bleeping Computer article: https://www.bleepingcomputer.com/news/security/emotet-malware-uses-greta-thunberg-demonstration-invites-as-lure/)
There are several warning signs here. Can you spot them all?
(The To and From email addresses were removed/redacted, so ignore the weird characters.)
Here are the warning signs (in no specific order):
The use of a Word document to provide you with a “Time and address” for the “biggest demonstration”. The time and address could have been provided in the body of the email. There is no reason to put it in a Word document, especially when you will see what the Word document asked you to do (more on that below).
There are a lot of grammar issues in the email to include random capitalization. Poor grammar doesn’t always mean an email is malicious, but that combined with the other warning signs make it something to be leery of.
The sense of urgency requesting you to forward the email to your colleagues “RIGHT NOW, until you forget!” Using a sense of urgency is a trick criminals always use. They want you to let your guard down. In this instance, it is also a way for your to spread the malware to others, so you are working on their behalf.
It was an unsolicited email. Emails sent to you randomly out of the blue (unsolicited) should always make you pause and analyze the email more closely, but that is even more true when you factor in all the warning signs above.
If you did ignore the warning signs above and continued to download and open the Word document, you would have been presented with this screen:
You should be leery of any Word document, especially an unsolicited email from unknown senders, asking you to “Enable Content” in an Office document (Word, Excel, etc.).
You may be asking, what if the attachment came from someone I know? I would reach out to that person, or company, to confirm they sent the email and ask them why there are macros or special content in the Word document. Do not reach out to the person via email or use any contact information contained within the email. You should assume their account could be compromised and under a hacker’s control, so you would need to reach out to them via phone or other means to discuss the email.
What should you do if you did fall for this phishing scam?
Read our blog post on “What should I do if my device is lost or stolen, if I had malware/a virus on my computer, or if I have fallen victim to a scam?” https://logicalcybersecurity.com/basics/2017/5/30/lost-stolen-compromised-device
The stories below include more information on phishing emails:
Beware of popular trends and current events: https://logicalcybersecurity.com/basics/2017/4/15/beware-of-trends-and-current-events
Phishing Scenario: User infected with ransomware: https://logicalcybersecurity.com/basics/2018/4/2/phishing-scenario-user-infected-with-ransomware