New Bogus Invoice Emails Could Lead to Ransomware Attack

John Lister's picture

The people behind phishing emails appear to be getting more sophisticated. Reports from both sides of the Atlantic say such emails are including more personal details, something that was previously used only for high value target.

Phishing emails are a way to try to trick people into either providing confidential information such as bank details or online passwords, or by clicking on links that install malware, usually through security weaknesses in web browsers or office software. More and more phishing attacks now involve trying to install ransomware that locks up a computer until the victim pays the attackers.

Creating such an email involves a balance between resources and reward. At one extreme, some messages are intentionally unsophisticated and vague. They contain such little identifying detail that they only fool a tiny percentage of people, but are so easy to create that they can be sent to millions of targets.

At the other extreme, some messages are carefully crafted to include lots of personal detail and appear very convincing. It's too much hassle to send these to large groups of people, but they can be used for a specific target such as somebody whose computer is known to contain or connect to a source of valuable confidential data.

Bogus Invoices Part of Scam

Now it seems some phishers are managing to get the benefits of both approaches. British consumer affair radio show "You and Yours" says thousands of people have received emails that contain their full postal address, making them seem much more legitimate. (Source: bbc.co.uk)

The emails claim to be a demand for an unpaid invoice and request payment. The scam isn't designed to get the recipient to hand over any money, but rather to trick them into clicking a supposed link to a copy of the invoice, something they may do out of curiosity.

Execs Under Attack

Meanwhile in the US, security firm Proofpoint says personalized phishing emails are now going to thousands of people in senior management and executive roles: people who may have access to financial accounts or may have a high security clearance on their company's network. It notes such sophisticated attacks were once restricted to a few victims, usually as part of state-sponsored espionage. (Source: arstechnica.com)

In both cases, its unclear how the culprits are getting hold of the personal details. In the UK case, one theory is that they have breached a database of an online retailer. In the US case, the details may have been "scraped" from business network sites.

What's Your Opinion?

Have you noticed bogus emails getting more convincing? Have you ever come close to clicking on a link in an unsolicited email out of curiosity? What measures do you take to vet emails that seem suspicious?

Rate this article: 
Average: 4.9 (8 votes)

Comments

Dennis Faas's picture

The best advice anyone can give you with regard to thwarting such an attack is this: if you did not specifically request an email from someone - whether it's asking for personal information OR if it is asking you to 'check an attachment', then delete the message immediately. If you are still unsure, email the person who supposedly sent you the message - usually it's someone you know* - and ask them if they sent you the message.

* = The reason phishing emails come from "someone you know" is usually because their email account has been hacked online (or someone else that they know) and your name and email address was on their contact list. The email contact database is then used to mass email other contacts on the list, which then contain messages that are designed to spoof the recipient (usually with a phishing attack or malware infection). Once the recipient is infected with malware, the cycle repeats.

Piston Hank's picture

I just dealt with a "Locky" variant of ransomware that a user received, using Outlook 2003, from and acquaintance. The message included an attachement "photos.zip 88kb". The user goofed and clicked the attachment which of course auto-launched the .js file it contained. "The computer seemed frozen" he later reported. When he did regain control all of his data files, documents, pictures, videos etc., that were writeable from his account, had been renamed with an encrypted filename and a ".locky" extension. Each affected directory included a "Help.txt" file with instructions for an alleged decryption. The darkweb page indicated by the help file describes the process for obtaining decryption software which included the requirement of a payment of 4.1 Bitcoins which is currently CAD$2254.47! Even in US currency this is too much to pay for recovery of cute cat pics.

The dead giveaway was the filesize. When was the last time you saw any kind of a photo collection, that people would be exited to share with you, that was so small?
Missing the filesize was his second major mistake. Not having an up-to-date system (including "hardened" backups) was his first. Note: If the backup drive is attached all the time this scenario would have taken the backup archives out also.

Fortunately my client had a (rather elderly and not attached) backup so not all was lost. But a lot was!

Be careful out there and tell everybody. This B.S. will only stop when the money dries up so everybody needs to pay attention if they don't want to pay a Russian.

Syscob Support's picture

Never, never, never open any ZIP, PDF or Microsoft Office document attached to an email—no matter who it is “From”. Those are the primary carriers of malicious infections and are NEVER safe as an email attachment!

Doccus's picture

The correct advice, IMHO, is to scan the attachment if you know who the sender is, just in case they may have been careless themselves. Many email programs will ONLY send executables if in some compressed format, and PDFs are theway that most government docs, business proposals, manuals, etc etc are sent. A good anti malware application can safely verify the contents, and may be the only practical alternatibve if not wanting to deal with file sharing services to access the document instead.. a method that , after all, cannot really guarantee the security of the file either..
But opening without scanning first? Now DAT be real stoopid!

PS there are some rare instances where a file will present as harmless, even to an AV application, until run, so opening inside a virtual sandboxed environment may be practical for the highly security conscious;. That would be my first choice, anyways...

INXS9000RPM's picture

Using Outlook, one can right-click a suspicious email (doesn't open it) and then select Options. This will display a msg status screen with Header details at the bottom. As one scrolls beginning of this Header info, any email address that is scrambled (all digits before the @ sign), or weird/foreign domain (following the @ sign), usually signifies a scam/malicious email. Delete it while holding the Shift key to ensure it is fully removed without being stored in the Delete Folder.

andrew_4498's picture

If I receive an e-mail from a source that I do not recognize, I look at the subject line, and then delete the e-mail.

E-mails with unexpected and unexplained in detail, attachments I, even if from a recognizable source, delete immediately without further consideration. If the source is a relative, or friend, or business colleague, I send him/her a ready-made e-mail indicating that I have deleted an unexpected e-mail and attachment, asking for repeat sending with advance explanation.

This practice is tedious, a nuisance, but it is successful. At businesses with large numbers of employees, one either trains the staff for the correct procedures, or saves the time (cost) of training, and pays the phisher or ransomer the tuition fee.

LouisianaJoe's picture

If you get an email that appears to be from a company that you have done business with, NEVER click a link in that email. If you think that it might be OK, still go to the website and log in there to investigate.

Today, I received an email that said it was from PayPal indicating that I had a suspicious charge on my account and it provided a link to check on it. The link did not point to Paypal. I logged into PayPal in my browser and there was nothing there that matched the email. I then forwarded the email to PayPal's scam email report email.

Lion's picture

I highly recommend the Header Tools Lite extension for Mozilla Thunderbird users, available from the official Mozilla site at https://addons.mozilla.org/en-US/thunderbird/addon/header-tools-lite/.

It serves two valuable functions for me:

1. If I wish to archive an email, I can edit the displayed subject to something meaningful and

2. I can examine the entire message packet, both headers and body, to look for red flags. This is even better than a previous poster suggests with Outlook, because I can examine the headers for suspicious origin (the displayed "From" field is easily hacked and can't be trusted) and also the body for suspicious web site links.

As for attachments, I cannot ignore .zips and .pdfs if I've satisfied myself if they're from a known and trusted source; I get many that are critical. But, although my Avast AV scans all downloads, if I have any suspicions, I can re-scan them with another, such as Malwarebytes, before opening them.