Back in September 2016, we wrote about how to spot phishing emails. Those emails try to spoof genuine emails in an attempt and ascertain your personal information. Those emails were easy to spot because they were not addressed to anyone in particular. The virus emails that Ashfield IT has seen this week were very personal to the recipients. The same key rule applies though...
What do you mean "personal to the recipients?"
This particular email was addressed to me. It addressed me in the email - "Hi, Paul!" It even had my personal home address in the body of the email (blanked out in the screenshot below):
On the face of it, this looks very much like it is intended for me. That contradicts some of the things we talked about in that previous blog post. However, there are still a couple of tell-tale signs that this email could spell trouble.
I don't know or deal with anyone in Slovakia
In the screenshot above, you can see that the email is from "firstname.lastname@example.org". The domain part of the email "azet.sk" means that if the email was official, it has come from a user in Slovakia. We can tell this as the ".sk" in the email is Slovakia's top level domain.
Azet.sk, after closer inspection (google translated) is Slovakia's largest multimedia company. It's a little like Yahoo in the respect that it delivers news and other content and it also offers a free email service. It started life as a dating site and has evolved via some merger and acquisitions into the site that exists today. But in short, anyone can go to this site and join up and start sending emails free of charge.
So, what can we establish from this?
In this particular instance the user "ajven25" is trying to claim that a contract is attached in the email for my convenience. Why would someone, seemingly from Slovakia, send me a contract out of the blue? That makes no sense to me whatsoever.
Even if you do know someone in Slovakia, does the username "ajven25" have any relevance to that person you know or deal with?
Also, the person sending me the contract is doing so from a widely available free email account. I would suggest that anyone who has anything as critical as a contract to send you would be doing so from a reputable email address. For example, anyone emailing you a contract from our business would be doing so from an ashfieldit.co.uk email address. Not a free web based email address.
At this point, we can almost certainly conclude that the email is not genuine and will probably contain a virus should the attachment be opened.
But it had my personal details in it! Surely it must be for me?
No. We've talked previously about data breaches and how more and more people's details are leaking onto the internet. Some are more high profile than others but the fact remains that some will contain more of your details than you'd think.
Some may just contain a username and real name for the site that was breached or in certain circumstances it may contain more than you would like. A real world example of this can be seen from UK mobile phone and data provider Three's data breach back in November 2016.
Three said that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information.
As you can see, anyone that managed to get their hands on this data could in theory generate the virus emails we received this week and send it to thousands upon thousands of different people, personally addressed.
Ok, but what would happen if I were to open the attachment?
In most if not all emails such as this, potential disaster. Now I know that this might sound like I'm scaremongering but please heed my advice. No good can come from opening this attachment.
We've seen a huge up rise in viruses known as ransomware viruses over the past twelve months. We wrote about ransomware viruses, what they can do and how you can protect yourself from them back in October. A common method for distribution of these types of viruses is via email. Ransomware viruses could bring your organisation to its knees. Don't risk potential disaster by opening attachments you're unsure of.
We opened it for you - Let this be a warning!
Part of our job at Ashfield IT is not only to help you with your computer and network problems but to help you protect yourself. Sometimes the best way to do this is to understand what risks are involved in instances like this. So, on this occasion we thought it would be good to show you exactly what happens when you open an attachment like this.
Please Note: Don't try this at home (or office) on your own computer. To carry this demonstration out we created a virtual machine that was sandboxed from our internal network so that no damage could be had from the consequences of opening the attachment.
Firstly, we're using Office 365 so have the latest version of Word installed. From a security standpoint, it is always best to have the latest updates installed. So, because we have the latest version running Word noticed that the document had a potentially dangerous macro in it and automatically disabled it.
The yellow bar at the top of the screen allows you to enable the macro if the document is from a trusted source. In this particular instance doing so triggered a macro that did some pretty harmful things.
Upon clicking "enable content" the macro connected to a compromised website in Czechoslovakia and downloaded and executed an executable file. That executable file then infected the computer with a CryptXXX ransomware virus.
What this virus did is target some files on the test machine and encrypt them. All documents you would normally associate as user files. Files such as pictures, documents, spreadsheets, presentations, PDFs and so on. Upon completion of infecting the test computer, the virus then displays a ransom notice. The notice demands 2 BTC in return for the decrypter to give you control of your files again.
We won't go over ransomware viruses again here, you can read this post if you would like further information about them.
What can we conclude?
The attacker on this occasion will have sent out thousands of virus emails. He or she plays on most people's curiosity to try and get you to open this document.
- It's addressed to you personally to make you think it's genuine.
- They tell you the file attached is a contract which most people think could be very important.
- When the document opens, it tells you that the document is "protected". It tells you that you must enable the content to be able to see it.
- If you enable the content, you'll very likely get infected with a virus.
The same old rules apply though. If someone you do not know sends you an email with a file attached, out of the blue, and with no contact details, just delete it. If they send you their contact details call them and check its authenticity before opening it.
Ashfield IT are an IT support company based in Nottinghamshire that can help with your computer security and virus protection. For more information, you can reach us via online chat, our contact page or call us on 01623 375005.