This morning, our Technical Lead sent out a rather concerned company-wide email related to a potential malware threat delivered via email. The email in question was sent to one of our data recovery engineers by the address “email@example.com,” which isn’t actually an email address Gillware uses.
Using the typically vague language of other email-delivered malware threats, the message simply read something along the lines of “Your picture is ready to be sent” with a zip file attached to it. Had the engineer ran this file, there’s a very high chance his machine would have been infected with ransomware or some other undesirable malware.
This situation highlights an important trend in the strategies of cybercriminals today. Using email for spreading malware is one of the oldest tricks in the book, even going back to the 1990s with things like Microsoft Word macros. These strategies are still used today, and not because they are so vulnerable from a security point of view (MS Word macros are disabled by default), but because users are so gullible and keep falling for them.
Cybercriminals use this to their advantage by using a bit of social engineering to get someone to run their code, such as using the safe-looking address “admin@gillware.”
Our recovery engineer is a bit more tech-savvy than the average computer user and had the prudence to contact our Technical Lead before doing anything with the suspicious email, but beyond him: How many people in the average organization would have actually thought before opening that zip file?
Asking basic questions like: “Have I ever received an email from this address before?” or “What picture is this email referring to?” would cause most people to pause before moving forward, or at least we hope they would.
Another popular technique is the invoice scam. Using the same basic structure, the email is made to look as if sent by a customer or some other person within the organization under the guise of attaching an invoice for the user to look over.
Due to busy schedules and plenty of tasks each day, it’s certainly not hard to understand why someone might think they forgot about a single invoice, especially at an organization with a high volume of business.
Despite this, I reiterate. If you do not recognize the sender or the content of the message, do not run any attached files. A quick phone call or personal check-in with whomever you believe to be the sender is far cheaper in expenses than a $300 ransomware payment and potentially destroyed files.
If you are in charge of IT in some capacity at your organization, I also recommend sending a company-wide email to warn users of these types of things. If our engineer hadn’t known that firstname.lastname@example.org is not used at our organization, there’s a chance he might have opened it. Well, he probably wouldn’t have opened it to be honest, but in any other organization, there are plenty of employees who might have, especially if they are larger than Gillware.
Further, here are a few basic examples of which emails NOT to open:
If you’re still unsure of how to respond to questionable emails, here are a few preventative tips:
On top of all this, remember that people make mistakes. That’s the core premise of how these cybercriminals are cashing in, that people are fallible. However, when it comes to email, these mistakes are ultimately preventable. Spend a little more time reading over your inbox and give yourself some time to think before opening a link. Those few seconds of thought might be just enough time to prevent an expensive data distaster.