How to identify an email infected with a virus?

by Olivia Morelli - -

Spam and phishing are two most effective techniques that help criminals get their ill-gotten gains

It is hard to recognize phishing emails

As the humanity becomes more and more dependent on technologies and especially the Internet, we notice how cyber criminals unite into organized-crime groups, which work hard to carry out malevolent projects to swindle money from unsuspecting victims. In fact, some experts believe that disorganized crime ceased to exist already.

While many tend to think that cyber criminals are super advanced hackers that know how to use code to break through security systems and even take control of users’ computers remotely, the reality is quite different. In most cases, these cyber criminals are just skilled scammers who use social engineering[1] methods to trick users into installing malware on their computers.

The usage of spam and phishing for the proliferation of malware is the best evidence of it, and, actually, can be defined as a logical evolution of cybercrime. In fact, there is no need to spend hours creating elaborate attack schemes when all it takes to hack a computer network is to convince one naive employee to open an email attachment that looks like someone’s resume.

Such techniques proved to be highly efficient, and they considerably accelerated the distribution of malware. For example, 2016 is widely acknowledged as the year of ransomware, and the fact[2] that even 93% of phishing emails in the first quarter of 2016 contained ransomware simply proves it.

Clearly, there are reasonable grounds to believe that the extent of spam and phishing in 2017 will reach even greater numbers.

Malware-laden emails are so far the most efficient attack vector[3]. Spammers are quick to exploit ongoing events (sporting events, sales, tax-season, etc.) and send out hundreds of thousands themed email messages, although some tricks work all year round. Examples given below unveil phishing emails that are typically used for malware proliferation.

Hopefully, these examples will help you to identify phishing emails in the future and make you become more skeptical about the reliability of emails sent to you by unknown individuals.

Examples of malicious spam

Example No. 1: Resume or job applicant emails

Phishing emails that contain an attached resume usually are sent to recruitment specialists, managers or company owners who make hiring decisions. Such emails usually contain just a few lines of text, inviting the recipient to open the attached resume. Typically, scammers expect these phishing emails to be convincing when trying to infect a particular company or healthcare organization. Such emails were mainly used in CryptoWall 3.0[4], GoldenEye, and Cerber spam campaigns. See some examples of such phishing emails below.

Example No. 2: Phishing emails claiming to be from eCommerce giant Amazon

Cyber criminals tend to phish Amazon users with fake emails sent from bogus email accounts that seem legitimate at first sight. Such phishing emails can be used to swindle money from the victim or to deliver a malicious email attachment that carries a serious computer virus.

For instance, scammers were using auto-shipping@amazon.com email address to send out thousands of emails containing Locky ransomware. Such emails included such subject line: “Your Amazon.com Order Has Dispatched (#order_number)” and contained a ZIP attachment, which carried malicious JS file that, once opened, downloaded the ransomware from a particular website[5]

Below, you can see an example of malicious email delivering Locky and an example that was obtained during analysis of Spora distribution campaign.

Amazon email scams

Example No. 3: Invoices

Another very successful technique that helped to boost the distribution of Locky ransomware involved phishing emails that carried an attachment called “ATTN: Invoice-[random code].” These deceptive emails contained a few lines of text in the message field, asking the victim to “see the attached invoice (Microsoft Word Document).”

The only problem is that the Word document actually contains a malicious script that gets activated via the Macro function. An example of the described phishing email is provided below.

Malicious emails distributing Locky

Example No. 4: Spam that exploits the theme of major sporting events

Love sports? Then you must be aware of sport-themed spam. Lately, researchers from Kaspersky noticed an increase[6] in emails targeting users interested in the European Football Championship, upcoming World Cups in 2018 and 2022, as well as Olympic Games in Brazil.

Such messages carry malicious ZIP archive that contains a Trojan (malware downloader) in the form of a JavaScript file. According to experts, the Trojan is set to download more malware on the computer. See an example of the malicious message below.

Malicious spam targeting FIFA fans

Example No. 5. Terrorism-themed spam

Cyber frauds do not forget that terrorism is one of those subjects of topical interest. Not surprisingly, this theme is also used in malicious spam. Terrorism-themed spam isn't one of the frauds’ favorites; however, you must know what to expect. We provide an example of such email message below.

Reportedly, such type of spam is generally used to steal personal data, carry out DDoS attacks and spread malware.

Terrorism-based phishing emails

Example No. 6 Emails providing “security reports”

Researchers detected one more email campaign that distributed malicious Word documents. It turns out, these documents also contain infectious macros that download and run CryptXXX ransomware as soon as the victim activates the required function. Such emails contain such line in the subject field: “Security Breach – Security Report #[random code].”

The message contain’s victim’s IP address and location of the computer, making the victim feel that the message is genuine and trustworthy. The message warns the victim about non-existent threats such as security breaches that were ostensibly prevented and suggests checking the report attached to the message. Of course, the attachment is malicious.

Phishing emails delivering ransomware

Example No. 7. Malicious spam purportedly sent by legitimate companies

In order to convince the victim to open the file attached to an email, scammers pretend to be someone they’re not. The easiest way to trick the user into opening a malicious attachment is to create a deceptive email account that is almost identical to one owned by a legitimate company.

Using such bogus email accounts, scammers attack users with nicely composed emails that carry a malicious payload in a file attached to them. The example below shows an email that was sent by scammers who pretended to be working at Europcar[7].

Scammers impersonate Europcar employees

The example provided below shows what messages were used in an attack against clients of A1 Telekom company. These phishing messages included delusive DropBox URLs that led to malicious ZIP or JS files. Further analysis revealed that these files contained Crypt0l0cker virus.

Mail spam targeting A1 Telekom users

Example No. 8. Urgent task from your boss

Recently, scammers started using a new trick that helps them to swindle money from unsuspecting victims in a few minutes. Imagine that you received an email from your boss, saying that he/she is on a holiday and you need to make a payment to some company urgently, because the boss will be out of reach shortly[8].

Sadly, if you rush to obey commands and not check the little details before doing so, you can end up transferring company's money to a criminal or, even worse, infecting the entire computer network with malware.

Another trick that can convince you to open such malicious attachment is pretending to be your colleague. This trick might be successful if you are working in a big company and you do not know all of your colleagues. You can see a couple of examples of such phishing emails below. Task from boss spam

Example No. 9. Tax-themed phishing

Scammers willingly follow different country and region tax schedules and do not miss a chance to initiate tax-themed spam campaigns to distribute malicious programs. They use a variety of social engineering tactics to trick miserable victims into downloading malicious files that come along these deceptive virtual letters.

Such attachments mostly carry banking Trojans (keyloggers) that, once installed, steal personal information such as victim’s name, surname, logins, credit card information, and similar data.

The malicious program can await in a malicious email attachment or a link inserted in the message. Below, you can see an example of an email that delivers a fake receipt for taxes filed, which is actually a Trojan horse.

Income Tax Receipt virus

Scammers also try to draw user’s attention and force one to open the malicious attachment by stating that there is a pending law enforcement action against one. The message says that something needs to be done “regarding the subpoena from irs,” which is attached to the message.

Of course, the attached document isn’t subpoena – it is a malicious document that opens in Protected view and asks the victim to Enable Editing. Consequently, the malicious code in the document downloads malware to the computer.

Tax Subpoena scam

The final example shows how scammers try to trick accountants into opening malicious attachments. The email seems to be coming from someone who seeks the assistance of a CPA, and, of course, it contains an attachment or two.

These are simply typical malicious Word documents that activate a script and download malware from a remote server as soon as the victim opens them.

Tax Phishing

How to identify malicious emails and keep yourself safe?

There are some main principles to live by if you’re trying to avoid malicious emails.

  • Forget the Spam folder. There is a reason why email letters fall into Spam or Junk section. It means that email filters automatically identified that identical or similar emails are being sent to thousands of people, or that the vast of recipients already marked such messages as Spam. Legitimate emails fall into this category only in very, very rare cases, so better stay away from Spam and Junk folders.
  • Check the sender of an email before opening it. If you’re not sure about the sender, do not interact with the contents of such email at all. Even if you have an antivirus or anti-malware program, do not click on links added to the message and do not open attached files without thinking. Remember – even the best security programs can fail to identify a brand new virus if you happen to be one of the first targets chosen by developers of it. If you are not sure about the sender, you can always call the company one claims to be working at and ask about the email you have just received.
  • Keep your PC security up-to-date. It is important not to have old programs on the system because they usually are full of security vulnerabilities. To avoid such risks, enable automatic software updates. Finally, use a good anti-malware program to ward off malicious programs. Remember – only up-to-date security program can protect your computer. If you’re using an old one and if you tend to delay installation of its updates, you plainly allow malicious programs to enter your computer quickly – without being identified and blocked.
  • Find out if the URL is safe without clicking on it. If the email you received contains a suspicious URL, hover your mouse over it to check it’s validity. Then look at the bottom left corner of your web browser. You should see the real URL that you’re going to be redirected to. If it looks suspicious or ends in .exe, .js or .zip, do not click on it!
  • Cyber criminals usually have poor writing skills. Therefore, they often fail to compose even a short message without spelling or grammar mistakes. If you notice some, stay away from URLs inserted in the message or files attached to it.
  • Don't rush! If you see that the sender pressingly asks you to open the attachment or a particular link, better think twice before doing it. The attached file is likely to contain malware.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References

Read in other languages


Files
Software
Compare
Like us on Facebook