In the past week, we have seen emails being sent direct to end-users with detailed information about them. The image below only shows this persons first name, but we can confirm the first name and surname are correct along with his home address. We’ve blocked out details, but can you spot the mistakes that highlight this email to be malicious?
How many spelling mistakes can you spot?
The grammar is also another giveaway warning.
- DO NOT open the file!
- DO NOT reply to the sender!
- DELETE the email immediately!
We’ve taken a short video of ourselves opening the attached file. After entering the Password that’s in the email, it asks you to Enable Macros. When you click Enable it will immediately look for internet connection which tells us that it’s looking to obtain an encryption key. We removed the desktop in the video from any network so it didn’t have internet connectivity.
As the document is blank, but we noticed the cursor is now flashing in the middle of the row instead of the far-left hand side we know there is something hidden within the file. Turning on the development tools we could see the text coding for the macro that they want you to run.
The code clearly shows to us that the first task is to “check the SSL certification” Whilst this is showing the message another instruction is telling the device to open hidden connections to two predetermined URL’s. Once these URL’s have been visited then a small malicious file is installed onto your device and the results can be very disruptive to this device and any mapped drives it’s connected to.
If you receive a suspicious attachment on an email that you are not expecting (even if it’s from somebody you know) DO NOT open it. Call the sender to confirm they did send it. If you cannot confirm, delete it!