Picture the scene.
You receive an email from someone inside your company. He tells you that there is a virus problem inside the company and it has resulted in data being stolen and some files being deleted.
You are told to install an anti-virus tool to clean-up the infection properly. The link appears to point to a download on your company’s own website.
Would you do it?
Well, hopefully not. But people less savvy in security matters might be fooled.
Here is the email that has been spammed out to a number of large companies (click for a larger version):
Subject: IT Notice
Just a quick alert to let everyone know that our company have experienced a new kind of virus to web space and personal computer. found that the computer system information leaked, such as in other server information is moving, a few files deleted. Expert written virus removal tools to help us fully remove this virus, Please download and install the patch, obtain virus definitions, and run the removal tool.Download the tool from: [LINK]. Please Back Up Your System Databases, If any questions, please do not hesistate to contact IT department.
Although the link appears to the naked eye to point to a file called antivirus.exe on your company’s own server (for instance, if your company’s website was called example.com it would appear to link to www.example.com/download/antivirus.exe) it really directs your browser to a download on a third-party website.
In this way it tricks you into believing you are download an approved anti-virus update from your company’s IT department, but you are really fooled into installing a Trojan horse.
Sophos anti-virus products detect the malware as Mal/Generic-L and Troj/Inject-QL.
The bogus email says (in rather poorly written English)
"If any questions, please do not hesistate to contact IT department."
Well, that’s precisely what you should do. If ever in doubt, check with your IT department whether the advice you have received is genuine. They’ll much prefer you double-checking than you putting the network at risk from malware infection.
5 comments on “Sneaky fake company virus warnings trick users into installing malware”
After that email, I'd be contacting the IT department to offer them proofreading services at the very least.
Right on. The pitiful punctuation and random capitalization would tip me off that it wasn't legit. Our "IT" guy has an MFA!
You can understand why people fall for it though.
We block at our firewall all incoming mesages that purport to come from our domain. There is no-one outside the company who has permission to send messages from our domain; and all internal users have direct access to the mail server so don't need to.
This stops all the messages from "us" to us.
This is a good example why people shouldnt be given admin rights.
Angstela – you stole my comment!