This morning, our Technical Lead sent out a rather concerned company-wide email related to a potential malware threat delivered via email. The email in question was sent to one of our data recovery engineers by the address “firstname.lastname@example.org,” which isn’t actually an email address Gillware uses.
Using the typically vague language of other email-delivered malware threats, the message simply read something along the lines of “Your picture is ready to be sent” with a zip file attached to it. Had the engineer ran this file, there’s a very high chance his machine would have been infected with ransomware or some other undesirable malware.
Young Dogs Learning Old Tricks
This situation highlights an important trend in the strategies of cybercriminals today. Using email for spreading malware is one of the oldest tricks in the book, even going back to the 1990s with things like Microsoft Word macros. These strategies are still used today, and not because they are so vulnerable from a security point of view (MS Word macros are disabled by default), but because users are so gullible and keep falling for them.
Cybercriminals use this to their advantage by using a bit of social engineering to get someone to run their code, such as using the safe-looking address “admin@gillware.”
Our recovery engineer is a bit more tech-savvy than the average computer user and had the prudence to contact our Technical Lead before doing anything with the suspicious email, but beyond him: How many people in the average organization would have actually thought before opening that zip file?
Asking basic questions like: “Have I ever received an email from this address before?” or “What picture is this email referring to?” would cause most people to pause before moving forward, or at least we hope they would.
Hey, would you look at this invoice? No, I won’t.
Another popular technique is the invoice scam. Using the same basic structure, the email is made to look as if sent by a customer or some other person within the organization under the guise of attaching an invoice for the user to look over.
Due to busy schedules and plenty of tasks each day, it’s certainly not hard to understand why someone might think they forgot about a single invoice, especially at an organization with a high volume of business.
Despite this, I reiterate. If you do not recognize the sender or the content of the message, do not run any attached files. A quick phone call or personal check-in with whomever you believe to be the sender is far cheaper in expenses than a $300 ransomware payment and potentially destroyed files.
If you are in charge of IT in some capacity at your organization, I also recommend sending a company-wide email to warn users of these types of things. If our engineer hadn’t known that email@example.com is not used at our organization, there’s a chance he might have opened it. Well, he probably wouldn’t have opened it to be honest, but in any other organization, there are plenty of employees who might have, especially if they are larger than Gillware.
Further, here are a few basic examples of which emails NOT to open:
- Any email with mention of foreign royalty (Nigerian prince) or a long lost relative asking for a wire transfer, after which they will give you their fortune.
- Any “bank” email asking for your password or ANY personal information. Banks will never contact you via email for anything related to personal information.
- Any email that appears to be from law enforcement telling you they have evidence of your wrongdoing but are willing to drop charges if you pay a fine from your computer. Personally, I think this is one of the dumbest ones to fall victim to, but people tend to stop thinking and start panicking any time they think they’re in trouble.
- Any email that states you have won something from an unknown sender/lottery/drawing.
- Anything from an email address you don’t recognize or aren’t absolutely sure about.
- Any mystery invoices, files, pictures, etc. that you aren’t absolutely sure about.
If you’re still unsure of how to respond to questionable emails, here are a few preventative tips:
- Just don’t open it. Don’t run the sketchy program. Please don’t.
- Have a secure, offsite backup of your data. In the event of ransomware-induced file encryption, you can just clean the computer of malware and then use your backup to get your data back, all without paying a dime to the criminals.
- From a business standpoint, try to implement company-wide best practices on information security. When everyone knows what’s going on, it is much harder to become a victim.
On top of all this, remember that people make mistakes. That’s the core premise of how these cybercriminals are cashing in, that people are fallible. However, when it comes to email, these mistakes are ultimately preventable. Spend a little more time reading over your inbox and give yourself some time to think before opening a link. Those few seconds of thought might be just enough time to prevent an expensive data distaster.