thanks to graham chantry and tad heppner at sophoslabs for their help with this article.
many uk residents woke up yesterday to a nasty surprise on the internet: a scam email greeting them with their real name and home address.
collectively, we’re getting better and better at detecting emails that don’t come from where they say, for example because our real bank doesn’t call us dear customer and because our real mortgage provider knows how to spell their own kompani nayme without committing silly mistakes.
but in this case, the email was not trying to hide that it came from a bum.
In fact, the text scam made the email more worrisome and thus, perhaps paradoxically, more likely to coerce victims into action than a well-written email from an obviously unlikely source.
the text of the emails varies slightly from sample to sample, but the examples seen by sophoslabs look something like this:
or like this:
the salutation uses your first name (given name); the file name is your last name (family name); and the address is your home address, complete with zip code.
You know it’s a scam, not only because of the terrible spelling and grammar errors, but also because no official organization would dare to write what amounts to such a veiled threat.
so it seems wrong and risky to open it to see how much is there.
On the other hand, there must be some truth to the claims about a data leak, because the thieves know your name and address, and not just vaguely, but precisely, so who knows what else they know about you?
With so many data breaches in the news recently, it’s perfectly reasonable to ask, “how bad is this?”
so it seems wrong and risky not to open it to see how much is there.
what happens next?
If you open the attached file, portentously named yoursurname.dot, word prompts you for a password, just as the scammers warned you to expect:
The password is chosen randomly for each recipient, and you really need to use the one in your own email to open the file:
At this point, the criminals try to persuade you to enable macros in the open document, which means that you will execute the program code stored in the file by the criminals themselves.
this is a feature of word: you can write long and powerful word extensions as macros, using microsoft’s visual basic for applications (vba) programming language, but because macros coming in from outside can be super dangerous, they don’t. runs by default.
In order to get you to agree to run their malicious macro program, the crooks use what might be called a bait-and-switch trick.
The document features an official-looking help page that tells you to “enable editing” to view its content.
Somehow this sounds less suspicious than enabling macros, as if you’re just agreeing to see what’s inside the document, not trusting it to the point of allowing it to run untrusted program code inside word.
If you click [enable content], you agree to run a malicious vba program that tries two different web pages, hosted on hacked web servers, and downloads what looks like a gif file.
gif is short for Graphics Interchange Format, an old but still common image file type.
in fact, the gif file has only 10 bytes of valid header data, followed by a 256-byte decryption key, followed by about 0.5mb of xoring-encoded binary data with the decryption key repeated over and over again. again. (This is known as a vigenère cipher, named for a 16th-century cryptographer who didn’t actually invent it.)
the gif header makes the file look innocent, even if it isn’t displayed as an image, and the vigenère encoding means that suspicious parts of the file aren’t obvious.
Of course, the encryption also means that the fake gif file is harmless on its own, so the malicious macro includes a decryption loop that extracts the executable code, decrypts it, and writes it to %temp%, the folder special where windows saves its temporary files.
malware ends with a randomly chosen numeric name, such as 05643.exe
when we tested this attack on sophoslabs, the malware downloaded was troj/agent-aurh, a bot or zombie malware strain that calls command and control (c&c) home for more instructions.
Our zombified computer did not receive any instructions during our test, but it is important to remember that in attacks of this type:
- Criminals can vary downloaded malware as they see fit, changing it according to your time zone, location, language settings, or simply on their own whim.
- Criminals can vary the instructions they send to some or all of the bots in their botnet, typically including updating or changing the bot itself, or Additional malware download.
The malicious macro in the original document has two more tricks up its sleeve to go along with the “fake gif file” decryption shenanigans.
If the macro gets an unexpected response on its first attempt to download the fake gif, the criminals assume that some kind of web-filtering antivirus or firewall blocked the download, so they try to convince you to change your security filtering. off:
It’s easy to assume the popup is coming from word, or even windows, but those are the crooks talking to you.
Similarly sneakily, the crooks display the following message, right at the end:
It’s all a bunch of lies: the “file is corrupted” message means exactly the opposite of what it says, because it only appears after the malware has been downloaded, decrypted, saved to disk and run in the background .
should you be afraid?
It’s understandable to feel a bit scared when you receive a scam email that knows your name and home address, because of the lurking question, “why me?”
The good news, if you can call it that, is that through articles and ads like this, you’ll soon see that you’re not alone and that criminals are targeting a much larger group than you.
unfortunately, however, it is likely that the particular addresses they are using have been stolen in one or more data breaches and then sold underground for criminal abuse of this kind.
at least in the uk, many companies that collect addresses put them through some form of standardization algorithm to produce address data in the format preferred by the post office, so it can be difficult to work out the likely source of the filtration.
what to do?
- do not open unsolicited or unexpected attachments, especially if told to do so by an unknown sender.
Even if the document claims to be a bill you don’t owe, or threatens you in any way, don’t let fear or uncertainty overcome you. after all, if you’re worried about the reliability of the sender, the worst thing you can do is follow their “advice” on computer security!
- do not disable important security settings, such as “macros have been disabled”, especially if said by an unknown sender.
Criminals have devised many ways to trick you into clicking [enable content], usually by making it sound as if it is somehow increasing security, for example by decrypting or unlocking sensitive information. but microsoft disabled word macros by default years ago to improve security, so turning macros back on will leave you less secure.
- If you’re not sure what to do, ask someone you really know and trust, like a friend or family member.
never ask the sender of the email for advice. they will simply tell you what they want you to hear, not what you need to know. And if you’re a friend being asked for help, try using our short and sweet motto, and stick with it: “don’t buy, don’t try, don’t reply.”
- if you believe that such a targeted email is actually a personal attack against you, for example by a stalker, rather than part of a broader cybercrime campaign, and If you are seriously concerned about your safety, please contact your local police.
be prepared to explain yourself clearly, which usually means saving suspicious emails and messages.
Have you recently opened an email that you now have reason to be wary of, or worried that you may have let malware in by taking risky advice from someone you don’t know? If so, you can download our free Sophos virus removal tool to scan for malware that may be lurking undetected. You don’t need to uninstall your existing antivirus first – our virus removal tool is designed to work in conjunction with other security products.