How to identify an email infected with a virus?

Malicious emails are still considered to be the most effective technique used to infect users with viruses

It is hard to recognize phishing emails

As the humanity becomes more and more dependent on technologies and especially the Internet, cyber criminals unite into organized-crime groups to carry out fraudulent projects to swindle money from unsuspecting victims.

While many tend to think that cyber criminals are super advanced hackers that rely on some special code to break through security systems and even take control of users’ computers remotely, the reality is quite different. In most cases, these criminals are just skilled scammers who use social engineering[1] methods to trick users into installing malware on their computers.

The active usage of spam and malware-filled emails is the best evidence of it. Instead of spending long hours creating elaborate attack schemes, hackers are now working on email virus examples that could convince naive employee to open an email attachment and help them attack the whole company's network.

Prevent ransomware

Such techniques have already been proved to be highly efficient. For example, 2017 has been widely acknowledged as the year of ransomware, and the fact[2] that even 93% of phishing emails in the first quarter of 2016 contained ransomware examples simply proves that it's important to pay attention to email virus examples.

Pay attention to malicious email examples to protect yourself

Indeed, malware emails are so far the most efficient attack vector.[3] Spammers are quick to exploit ongoing events (sporting events, sales, tax-season, etc.) and send out hundreds of thousands themed email messages, although some tricks work all year round. Examples given below unveil phishing emails that are typically used for malware proliferation.

Hopefully, these email virus examples will help you to identify phishing emails in the future and make you become more skeptical about the reliability of emails sent to you by unknown individuals.

Example No. 1: Resume or job applicant emails

Phishing emails that contain an attached resume usually are sent to recruitment specialists, managers or company owners who make hiring decisions. Such emails usually contain just a few lines of text, inviting the recipient to open the attached resume.

Typically, scammers expect these phishing emails to be convincing when trying to infect a particular company or healthcare organization. Such ransomware email examples were mainly used in CryptoWall 3.0[4], GoldenEye, and Cerber spam campaigns. See some examples of such phishing emails below.

Malware-laden resumePicture shows some examples of phishing emails that ostensibly deliver someone's resume, which contains a malicious code.

Example No. 2: Phishing spyware emails claiming to be from eCommerce giant Amazon

Cyber criminals tend to phish Amazon users with fake emails sent from bogus email accounts that seem legitimate at first sight. Such phishing emails can be used to swindle money from the victim or to deliver a malicious email attachment that carries a serious computer virus.

For instance, scammers were using auto-shipping@amazon.com email address to send out thousands of emails containing Locky ransomware. Such emails included such subject line: “Your Amazon.com Order Has Dispatched (#order_number)” and contained a ZIP attachment, which carried malicious JS file that, once opened, downloaded the ransomware from a particular website[5].

Below, you can see an example of malicious email delivering Locky and an example that was obtained during analysis of Spora distribution campaign.

Amazon email scamsAmazon users targeted via phishing emails that deliver ransomware such as Locky or Spora.

Example No. 3: Invoices

Another very successful technique that helped to boost the distribution of Locky ransomware involved phishing emails that carried an attachment called “ATTN: Invoice-[random code].” These deceptive emails contained a few lines of text in the message field, asking the victim to “see the attached invoice (Microsoft Word Document).”

The only problem is that the Word document actually contains a malicious script that gets activated via the Macro function. An example of the described email virus is provided below.

Malicious emails distributing LockyMalicious emails that contain attached "Invoice" file were used for Locky ransomware distribution.

Example No. 4: Spam that exploits the theme of major sporting events

Love sports? Then you must be aware of sport-themed spam. Lately, researchers from Kaspersky noticed an increase[6] in emails targeting users interested in the European Football Championship, upcoming World Cups in 2018 and 2022, as well as Olympic Games in Brazil.

Such messages carry malicious ZIP archive that contains a Trojan (malware downloader) in the form of a JavaScript file. According to experts, the Trojan is set to download more malware on the computer. See an example of the malicious message below.

Malicious spam targeting FIFA fansMalicious spam targets FIFA fans - this is how an email containing malicious attachment can look like.

Example No. 5. Terrorism-themed spam

Cyber frauds do not forget that terrorism is one of those subjects of topical interest. Not surprisingly, this theme is also used in malicious spam. Terrorism-themed spam isn't one of the frauds’ favorites; however, you must know what to expect. We provide an example of such email message below.

Reportedly, such type of spam is generally used to steal personal data, carry out DDoS attacks and spread malware.

Terrorism-based phishing emailsThe picture reveals emails that exploit the theme of terrorism.

Example No. 6 Emails providing “security reports”

Researchers detected one more email campaign that distributed malicious Word documents. It turns out, these documents also contain infectious macros that download and run CryptXXX ransomware as soon as the victim activates the required function. Such emails contain such line in the subject field: “Security Breach – Security Report #[random code].”

The message contain’s victim’s IP address and location of the computer, making the victim feel that the message is genuine and trustworthy. The message warns the victim about non-existent threats such as security breaches that were ostensibly prevented and suggests checking the report attached to the message. Of course, the attachment is malicious.

Phishing emails delivering ransomwareSuch emails were used to deliver CryptXXX ransomware to victims.

Example No. 7. Malicious spam purportedly sent by legitimate companies

In order to convince the victim to open the file attached to an email, scammers pretend to be someone they’re not. The easiest way to trick the user into opening a malicious attachment is to create a deceptive email account that is almost identical to one owned by a legitimate company.

Using such email virus accounts, scammers attack users with nicely composed emails that carry a malicious payload in a file attached to them. The example below shows an email that was sent by scammers who pretended to be working at Europcar[7].

Scammers impersonate Europcar employeesCyber criminals often pretend to be someone they're not. In this example, you can see how scammers try to push malware while pretending to be Europcar representatives.

The example provided below shows what messages were used in an attack against clients of A1 Telekom company. These phishing messages included delusive DropBox URLs that led to malicious ZIP or JS files. Further analysis revealed that these files contained Crypt0l0cker virus.

Mail spam targeting A1 Telekom usersThis is an example of malicious email spam that was aimed at A1 Telekom users. The bogus link in the message points to a file that downloads Crypt0L0cker ransomware virus.

Example No. 8. Urgent task from your boss

Recently, scammers started using a new trick that helps them to swindle money from unsuspecting victims in a few minutes. Imagine that you received an email from your boss, saying that he/she is on a holiday and you need to make a payment to some company urgently, because the boss will be out of reach shortly[8].

Sadly, if you rush to obey commands and not check the little details before doing so, you can end up transferring company's money to a criminal or, even worse, infecting the entire computer network with malware.

Another trick that can convince you to open such malicious attachment is pretending to be your colleague. This trick might be successful if you are working in a big company and you do not know all of your colleagues. You can see a couple of examples of such phishing emails below.

Task from boss spamDo not rush to follow commands from someone who presents himself/herself as your boss/colleague. Otherwise, you can end up installing malware on the entire computer system or sending money to scammers!

Example No. 9. Tax-themed phishing

Scammers willingly follow different country and region tax schedules and do not miss a chance to initiate tax-themed spam campaigns to distribute malicious programs. They use a variety of social engineering tactics to trick miserable victims into downloading malicious files that come along these deceptive virtual letters.

Such attachments mostly carry banking Trojans (keyloggers) that, once installed, steal personal information such as victim’s name, surname, logins, credit card information, and similar data.

The malicious program can await in a malicious email attachment or a link inserted in the message. Below, you can see an example of an email that delivers a fake receipt for taxes filed, which is actually a Trojan horse.

Income Tax Receipt virusScammers send such and similar emails to trick users into opening the malicious file that is titled as Income Tax Receipt.

Scammers also try to draw user’s attention and force one to open the malicious attachment by stating that there is a pending law enforcement action against one. The message says that something needs to be done “regarding the subpoena from irs,” which is attached to the message.

Of course, the attached document isn’t subpoena – it is a malicious document that opens in Protected view and asks the victim to Enable Editing. Consequently, the malicious code in the document downloads malware to the computer.

Tax Subpoena scamSuch messages are meant to scare the victim and force him to open the attached document in a rush. The document contains a malicious payload.

The final example shows how scammers try to trick accountants into opening malicious attachments. The email seems to be coming from someone who seeks the assistance of a CPA, and, of course, it contains an attachment or two.

These are simply typical malicious Word documents that activate a script and download malware from a remote server as soon as the victim opens them.

Tax PhishingSuch emails are usually sent to accountants. The attached document contains a malicious script that downloads and installs malware on the system.

How to identify malicious emails and keep yourself safe?

There are some main principles to live by if you’re trying to avoid malicious emails.

  • Forget the Spam folder. There is a reason why email letters fall into Spam or Junk section. It means that email filters automatically identified that identical or similar emails are being sent to thousands of people, or that the vast of recipients already marked such messages as Spam. Legitimate emails fall into this category only in very, very rare cases, so better stay away from Spam and Junk folders.
  • Check the sender of an email before opening it. If you’re not sure about the sender, do not interact with the contents of such email at all. Even if you have an antivirus or anti-malware program, do not click on links added to the message and do not open attached files without thinking. Remember – even the best security programs can fail to identify a brand new virus if you happen to be one of the first targets chosen by developers of it. If you are not sure about the sender, you can always call the company one claims to be working at and ask about the email you have just received.
  • Keep your PC security up-to-date. It is important not to have old programs on the system because they usually are full of security vulnerabilities. To avoid such risks, enable automatic software updates. Finally, use a good anti-malware program to ward off malicious programs. Remember – only up-to-date security program can protect your computer. If you’re using an old one and if you tend to delay installation of its updates, you plainly allow malicious programs to enter your computer quickly – without being identified and blocked.
  • Find out if the URL is safe without clicking on it. If the email you received contains a suspicious URL, hover your mouse over it to check it’s validity. Then look at the bottom left corner of your web browser. You should see the real URL that you’re going to be redirected to. If it looks suspicious or ends in .exe, .js or .zip, do not click on it!
  • Cyber criminals usually have poor writing skills. Therefore, they often fail to compose even a short message without spelling or grammar mistakes. If you notice some, stay away from URLs inserted in the message or files attached to it.
  • Don't rush! If you see that the sender pressingly asks you to open the attachment or a particular link, better think twice before doing it. The attached file is likely to contain malware.
About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References
Read in other languages