Email has become the primary channel of communication in most business offices, which makes it a prime target for malware distribution since users tend to function on autopilot when they use it. If you receive dozens - or even hundreds - of invoices or shipment notifications a day, you may not notice that one of these isn’t from a familiar source before you open it to find out what it is. Sometimes simply opening a file is all it takes to let malware in, leading to all of the files on your shared drive becoming encrypted and inaccessible.
A majority of the malware infections we see today come from malicious attachments disguised as phony invoices, bills, or shipping notifications. Spam filtering services will stop a vast percentage of these deceptive attachments. However, filtering is based on an algorithm derived from a huge sample size. So if something is unique or brand new, filtering may not catch it, allowing the attachment to reach the last line of defense: end-users. There are usually some tell-tale signs that an email and its attachment(s) aren’t authentic. Even if it looks to be coming from a familiar address, do not take the attachment’s legitimacy for granted. Email addresses and headers can be spoofed. So even if it appears to be coming from a vendor or your accounting department, that may not actually be the case.
Malicious attachments often take the form of compressed (.zip) files and folders. Many mail services completely block bare executable (.exe) file attachments, but it can be inconvenient to block .zip files absoutely, since many people use them as a convenient way to send a large number of small files together. These compressed files can hide the payload from some less defensive forms of spam filtering. If you open an attachment and are greeted with a folder with a files inside of it, tread carefully.
What to Look For
Notice below that, while the file inside appears to be a PDF at first glance, the file 'Type' is actually listed as “Application” (instead of "Adobe PDF document"). By default, Windows hides the file extension when displaying file names.
With the 'Hide extensions for known file types' option unchecked in Folder Options below, we see that the full file name for this supposed invoice is actually “Your Invoice.pdf.exe,” a potentially malicious executable. Screen saver (.scr) files are another common malicious file type. Even without the full file extension visible, the flaws in this malware’s disguise should be clear with just a few seconds of consideration. However, malware distributors are preying on the autopilot user mentality that can crop up when repeating the same task over and over.
Malware can also hide in documents and spreadsheets. It’s rare - but possible - that simply opening a document or spreadsheet will be enough for an infection to compromise your system. In most cases, the malware leverages macros and embedded content in order to infect the system, which usually require some kind of user interaction to launch. If your company has a group policy in place that disables protected mode in Microsoft Office, these malicious macros may actually run automatically.
Tricky Clicks
Most of these documents disguise the prompt for privileges, or moving to a less secure platform, as a required method to view the spreadsheet. This PDF came in as a bank slip from a spoofed address for a local bank. When "Bank slip.pdf" is opened, it masquerades as a secured document with a link to view it online. If you see something like this, it’s most likely a scam or a link to malware. If you do see this and you think it is a legitimate file from a known contact, please reach out to your IT provider and ask them to validate the file as secure.
When I opened the file in an isolated test machine and clicked on the link, it pulled up a prompt to go to a separate webpage. "moneyonline4affiliate.com" is clearly not a legitimate website, but it could just as easily have been a cleverly disguised domain that looks like a banking site at first glance.
Embedded macros and scripts in office documents follow a very similar pattern and format. They appear to have some kind of content hidden behind a feature wall, requiring the user to click to enable editing or enable content. In the instance below, I first had to click 'Enable Editing' and then on 'Enable Content' for the malicious code to run.
There are a variety of macros embedded in the seemingly blank document, which run in succession to create a hidden folder in my temporary files, deploy malicious code to that folder, and then run the code to put startup entries on my machine which will begin running a Cryptolocker variant.
To the end-user, it appears that nothing has happened (all of these macros run in the background), and s/he is left looking at a blank Word document. It won't be until several hours later, when the user is unable to open any documents and a ransom note pops up on the screen, that s/he may realize exactly what happened.
These examples are pretty easy to see through for illustrative purposes, but real-world instances are much better disguised. The request to 'Enable Content' may be at the end of an otherwise legitimate-looking invoice and seem required in order to 'Calculate a Formula'. There may be a web link at the end of a PDF document to take you to the bank’s login portal, but it instead goes to a well-crafted forgery of the bank’s website in order to steal your credentials. These documents may even look as though they're coming from your company’s President, while in actuality they originate from a compromised email server overseas.
What to Do
If something seems out of the ordinary or unusual, ask your IT provider to validate its authenticity in an isolated environment. It may take an extra ten minutes, but it's well worth the time to avoid compromised data, expensive repairs, and hours of lost work.
Have you run into malicious email attachments on your network? Share your experiences with other readers by leaving a comment below. And don't hesitate to get in touch with your questions on this or any other Information Technology topic.
This is the first post in our three-part series on how end-user awareness and behavior can contribute to network security. Don't miss the next two! By subscribing to B/P Impressions, you'll receive these and other upcoming blog updates in your email inbox.