Sneaky fake company virus warnings trick users into installing malware

Filed Under: Malware, Spam

Malicious emailPicture the scene.

You receive an email from someone inside your company. He tells you that there is a virus problem inside the company and it has resulted in data being stolen and some files being deleted.

You are told to install an anti-virus tool to clean-up the infection properly. The link appears to point to a download on your company's own website.

Would you do it?

Well, hopefully not. But people less savvy in security matters might be fooled.

Here is the email that has been spammed out to a number of large companies (click for a larger version):


Malicious email. Click for larger version

Subject: IT Notice

Message body:
Dear all,

Just a quick alert to let everyone know that our company have experienced a new kind of virus to web space and personal computer. found that the computer system information leaked, such as in other server information is moving, a few files deleted. Expert written virus removal tools to help us fully remove this virus, Please download and install the patch, obtain virus definitions, and run the removal tool.Download the tool from: [LINK]. Please Back Up Your System Databases, If any questions, please do not hesistate to contact IT department.

Although the link appears to the naked eye to point to a file called antivirus.exe on your company's own server (for instance, if your company's website was called example.com it would appear to link to www.example.com/download/antivirus.exe) it really directs your browser to a download on a third-party website.

In this way it tricks you into believing you are download an approved anti-virus update from your company's IT department, but you are really fooled into installing a Trojan horse.

Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.

The bogus email says (in rather poorly written English)

"If any questions, please do not hesistate to contact IT department."

Well, that's precisely what you should do. If ever in doubt, check with your IT department whether the advice you have received is genuine. They'll much prefer you double-checking than you putting the network at risk from malware infection.

, , ,

You might like

5 Responses to Sneaky fake company virus warnings trick users into installing malware

  1. Angstela · 1022 days ago

    After that email, I'd be contacting the IT department to offer them proofreading services at the very least.

    • Kimberly · 1022 days ago

      Right on. The pitiful punctuation and random capitalization would tip me off that it wasn't legit. Our "IT" guy has an MFA!

  2. Robin · 1022 days ago

    You can understand why people fall for it though.

    We block at our firewall all incoming mesages that purport to come from our domain. There is no-one outside the company who has permission to send messages from our domain; and all internal users have direct access to the mail server so don't need to.

    This stops all the messages from "us" to us.

  3. This is a good example why people shouldnt be given admin rights.

  4. DaveyH · 1022 days ago

    Angstela - you stole my comment!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.