HR departments at risk of malware infection after unemployment benefits email spammed out

Filed Under: Featured, Malware, Spam

HR. Image from ShutterstockComputer users, especially those working in the human resources departments of corporations, should be on their guard against a malware attack that is spammed out via email at the moment.

Emails have been spammed out, pretending to come from Detma (the Massachusetts Division of Employment and Training), claiming that the recipient needs to supply information in order to pay benefits to a former employee.

Here's a typical email:

Malicious email. Click for larger version

Subject: Action Required - Time Sensitive Material

Attached file:

Message body:
A former employee(s) of your company or organization recently filed a claim for benefits with the Division of Unemployment Assistance (DUA).

In order to process this claim, DUA needs information about each former employee. You are requested to:

* Provide Wage and Separation information (Form 1062/1074)
* Provide Separation Pay Information

If you do not provide this information, you may lose your right to appeal any determination made on the claim. To provide this information electronically, please print attached claim (file) and complete any outstanding forms.

This message may contain privileged and/or confidential information. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, disseminate, distribute or disclose to anyone the message or any information contained in the message.

Thank You.

The email is intended, of course, to trick the recipient into opening the attached file. Inside the ZIP file is a file called Unemployment_case.exe, detected by Sophos products as the Troj/Agent-YTA Trojan horse.

If you make the mistake of running the file on a Windows computer, and don't have good up-to-date security software in place, your PC will be compromised and hackers will be able to gain remote access to your company's data.

And as it's likely that HR staff are most likely to act upon the email, it could be personnel records and private information about individuals which is most at risk.

Make sure that you know the rules about being deeply suspicious of unsolicited attachments that arrive in your inbox, and to always be wary of running unknown executable code on your PC.

Even if you don't work in a personnel department, you could be putting your own data or that of your company at risk if you are careless about your computer security.

Human resources image from Shutterstock.

, ,

You might like

7 Responses to HR departments at risk of malware infection after unemployment benefits email spammed out

  1. Ray · 1029 days ago

    Just received the e-mail. Thanks for the heads up!

  2. Nigel · 1029 days ago

    Let me guess...the spam referenced in the article is NOT signed by an identity-trusted signature. And it most likely is not exactly wild speculation to suggest that most users who receive such spam don't even know enough to check for such a signature. (sigh)

    Before there can be any implementation, there has to be education. That would be a legitimate function for real government...which of course explains why the state's career bureaucrats and ambition-crazed politicians don't bother.

    I applaud you folks at Sophos for your efforts on the education front, but's just one of too few other voices crying in the wilderness.

  3. ejhonda · 1029 days ago

    We received one of these with a twist; there was a link in the body of the message that led to a malicious website, hosted in Germany, that was going to do a drive-by download on you. The same email was crafted to appeal to our NYS agency as the email address was labeled as "NY Division of Unemployment Assistance", but humorously still used the '' domain name. I still have a copy of it if anyone's interested. Report on the URL is here:

  4. Erin · 1029 days ago

    Thank you, but HELP. Staff opened the file and said "but nothing happened". We use SOPHOS. Do I need to run any scan, or will SOPHOS figure itself out??

  5. MikeP_UK · 1026 days ago

    One clue is in the file type, it appears to be an executable! That should always be treated with great suspicion. An normal format would likely have been a spreadsheet or word processor file. If in doubt, don't open. If it's not an expected format, don't open. If you can, always scan attachments with your chosen AV system.

  6. njorl · 1026 days ago

    "To provide this information electronically, please print attached claim" - didn't that make anyone stop and wonder?

    More technical question: does Troj/Agent-YTA need you to run it with administrator access for it to do any harm? I hope, as for any such threat, that one has to follow being clumsy/stupid enough to run the attachment with being stupid/clumsy enough to OK the User Account Control prompt to add oneself to the victim list.

  7. Samvedana · 784 days ago

    Thanks for the help...received the e-mail today.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley