Save content
Have you found this content useful? Use the button above to save it to your profile.
iStock_hh5800_Virus

Email phishing tactic launches HR comeback

by
23rd Nov 2015
Save content
Have you found this content useful? Use the button above to save it to your profile.

With eyes still heavy from blissful sleep, we at AccountingWEB towers received a vaguely believable email scam this morning – so beware!

The email doing the rounds will come with an address that expropriates your domain name. AccountingWEB’s, for instance, read ‘[email protected]’ accompanied by the subject line ‘employee documents’.

Our particular version of the email’s attachment takes the form of an Excel spreadsheet. Initial assessments show an element of key logging, meaning the virus program tracks your keystrokes to extract data like your bank, PayPal or other financial details along with your email or social media log-in details.

“Very high proportions are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers,” reports MyOnlineSecurity.co.uk.

The actual attachment is just the start of the attack. Once downloaded, an .exe file is installed on your computer. Paul Ducklin from Sophos Labs explains: “You’re only ever faced with an innocent-looking document, which you could be forgiven for opening, especially if you routinely receive and process documents sent in by customers, suppliers, colleagues and others.

“But the malware writer ends up with a full-strength executable file installed – a malicious program that will keep on running in the background not only after you close the downloader document, but even when you logout or reboot.”

These types of scams seem to be en vogue, with another notable scam utilising fake terror alerts from UAE law enforcement agencies like the Dubai Police Force. The aim is also to trick people into downloading a dodgy email attachment.

“The emails come with two attachments, one of which is a PDF file that is not actually malicious but acts as a decoy file,” explains Lionel Payet, threat intelligence officer at cyber security firm Symantec. “The malware resides in the other attachment, an archive .jar file. Further analysis of the malware confirms that the cybercriminals behind this campaign are using a multi-platform remote access Trojan (RAT) called Jsocket (detected as Backdoor.Sockrat).”

The emails scams were known, back in the day, as ‘macro malware’ and are quite a throwback to the web’s more primordial form. These are viruses embedded inside a software application like Excel or Word. A famous (or infamous) example was the ‘Melissa virus’ in 1999.

The macro malware revival is because “[s]imply put, we’ve got over our fear of macro viruses because they’ve been off the menu for years,” writes Ducklin.

The good news about these scams is that they are easy to avert if you remain aware. AccountingWEB’s IT support encouraged us to “please be cautious when opening emails/attachments” and “if you receive spam please mark it as spam to improve Google spam filtering”.

AccountingWEB's IT support manager James Comley offers the following tips:

  • Always be cautious and carefully read the email to ensure its content is accurate before replying
  • Check from address display name correlates with email headers
  • Check reply address
  • If in doubt pickup the phone and contact the sender - not with any potential phone numbers on the suspect email
  • Ensure you have up to date antivirus with real time protection and scheduled scans
  • Ensure web browsers, operating systems and things like Adobe flash are up-to-date. Certain viruses will take advantage of known security vulnerabilities.
     

Another helpful tip is to read full e-mail headers. When you receive an e-mail, you usually only pay to the "from" component. But under the hood,  there is a lot more information that "records the specific path the message follows as it passes through each mail server". This sounds complicated, but its relatively simple. Both Microsoft and Google provide a comprehensive, helpful how to guides.

Tags:

Replies (4)

Please login or register to join the discussion.

By Tim Vane
23rd Nov 2015 14:46

Sorry but your post is not clear. Are you saying that modern virus scanners like Sophos will not detect this threat because it is old tech? That does seem like rather an oversight by the anti-virus makers. I had certainly assumed that my AV software (not Sophos) would detect a malicious macro like this.

Thanks (0)
Replying to Paul Crowley:
Francois
By Francois Badenhorst
23rd Nov 2015 15:56

Nope, not an oversight.

Sorry if I was unclear! 

Actually, our own IT support manager said that running anti virus checks are in fact one of the best ways to combat this. So the issue isn't really with the anti-virus. The point is though, if one absent mindedly opens the dodgy email attachment your letting the malware in through the front door. Having an anti-virus scanner doesn't mean, for instance, that I should go around looking for trouble.

You're also blessed, Tim, in that it sounds like you're knowledgeable about this type of thing. Some aren't so fortunate. 

Thanks (0)
Teignmouth
By Paul Scholes
23rd Nov 2015 16:06

Thanks

Arrived this morning and, as I've been testing some HR software, I was a split second from opening the Excel file.

 

Thanks (0)
Replying to richard thomas:
Francois
By Francois Badenhorst
23rd Nov 2015 16:07

Same here

Had to do a double take. Young employee sees an email from "HR". They're very sneaky!

Thanks (1)