Internet users are getting savvier … slowly but surely. Phishing emails littered with spelling mistakes and grammar errors are getting flagged more often.
However, phishers are still innovative and relentless. What happens when you’re greeted by an email that knows your name and address? Despite the suspicions, the personalized touch grabs your attention.
Here are the kinds of emails UK residents are noticing in their inboxes recently:
Phishing Email Details
The sample phishing emails have some curious characteristics to note.
Let’s start with the obvious… terrible grammar. These emails read like they were part of the original Nigerian scams over a decade ago. While they seem like your classic phishing scam at its finest, the personal information sprinkled throughout the email seems to draw people in to the scam. The greeting uses your first name. The referenced file is labeled using your last or family name. Then, to add a shred of credibility, the email notes your home address and postcode.
It’s an interesting play by the phishers. There is suspicion with the phishy-ness of the email, but the personalized references make views wonder how dangerous it could be not to glance at the information in the file.
So What’s in the File?
Spoiler alert: it’s malware!
Victims who open the attachment are prompted for a password which the phishers include in their email. The random passwords really are necessary to open the file.
After entering the given password, the following screen comes up in Microsoft Word:
The thing to notice on this page is the Security Warning. How fitting!
The phishers need you to enable macros in the document for the malware to run. But many computer folk have caught on that macros can be dangerous. So instead of the traditional prompt to enable macros, the phishers have created this page to encourage victims to “Enable Content” and view the data.
This approach appears to be more effective. After all, you’re just agreeing to view the data inside the document. Harmless, right?
When you click on Enable Content, the macros are enabled and the malware starts running. The malware downloads a GIF file (common type of image file).
Once the contents are downloaded (GIF header and scrambled data), everything still looks benign. However,
the macro includes decryption tools that pulls out the malicious code, unscramble it, and write it to the %TEMP% folder.
SophosLabs wrote the blog highlighting the phishing scam. When they tested the attack, they found malware dubbed Troj/Agent AURH. This is a type of bot malware that connects the computer to the phishers’ command-and-control network for future tasks.
Sophos reminded that potential consequences of this type of malware:
- The malware is flexible and can be changed according to the victim’s time zone, location, language settings, etc.
- The instructions sent to infected computers (bots) can vary and include downloading additional malware
After all is said and done, the phishers wipe their hands of the scam with the following note to victims:
It’s natural to see an email like this and be unsure which parts are legitimate and which are scammy. There’s a sense of fear and urgency when the sender knows your personal information like last name and home address.
Most likely, the phishers obtained the personal information as a result of one or more data breaches. However, pinpointing the source of the breach would prove difficult.
Here are a couple takeaways and best practices from the Sophos team in preventing these types of scams:
Don’t open unsolicited or unexpected attachments. Even if the document claims to e an invoice you don’t owe, or threatens you in some way, don’t let fear or uncertainty get the better of you.
Don’t turn off important security settings (i.e. macros!). As noted above, phishers are always trying new tricks to get you to click the bait. The Enable Content part was sneaky, but not impossible to notice. MS Word turned off macros by default a long time ago to improve security. Unless you’re intentionally using them, keep macros disabled.