Sophos Cloud Optix
Computer users, especially those working in the human resources departments of corporations, should be on their guard against a malware attack that is spammed out via email at the moment.
Emails have been spammed out, pretending to come from Detma (the Massachusetts Division of Employment and Training), claiming that the recipient needs to supply information in order to pay benefits to a former employee.
Here’s a typical email:
Subject: Action Required - Time Sensitive Material
Attached file: Unemployment_case.zip
Message body:
A former employee(s) of your company or organization recently filed a claim for benefits with the Division of Unemployment Assistance (DUA).In order to process this claim, DUA needs information about each former employee. You are requested to:
* Provide Wage and Separation information (Form 1062/1074)
And/Or
* Provide Separation Pay InformationIf you do not provide this information, you may lose your right to appeal any determination made on the claim. To provide this information electronically, please print attached claim (file) and complete any outstanding forms.
This message may contain privileged and/or confidential information. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, disseminate, distribute or disclose to anyone the message or any information contained in the message.
Thank You.
The email is intended, of course, to trick the recipient into opening the attached file. Inside the ZIP file is a file called Unemployment_case.exe, detected by Sophos products as the Troj/Agent-YTA Trojan horse.
If you make the mistake of running the file on a Windows computer, and don’t have good up-to-date security software in place, your PC will be compromised and hackers will be able to gain remote access to your company’s data.
And as it’s likely that HR staff are most likely to act upon the email, it could be personnel records and private information about individuals which is most at risk.
Make sure that you know the rules about being deeply suspicious of unsolicited attachments that arrive in your inbox, and to always be wary of running unknown executable code on your PC.
Even if you don’t work in a personnel department, you could be putting your own data or that of your company at risk if you are careless about your computer security.
Human resources image from Shutterstock.
Just received the e-mail. Thanks for the heads up!
Let me guess…the spam referenced in the article is NOT signed by an identity-trusted signature. And it most likely is not exactly wild speculation to suggest that most users who receive such spam don't even know enough to check for such a signature. (sigh)
Before there can be any implementation, there has to be education. That would be a legitimate function for real government…which of course explains why the state's career bureaucrats and ambition-crazed politicians don't bother.
I applaud you folks at Sophos for your efforts on the education front, but alas…it's just one of too few other voices crying in the wilderness.
We received one of these with a twist; there was a link in the body of the message that led to a malicious website, hosted in Germany, that was going to do a drive-by download on you. The same email was crafted to appeal to our NYS agency as the email address was labeled as "NY Division of Unemployment Assistance", but humorously still used the 'detma.org' domain name. I still have a copy of it if anyone's interested. Report on the URL is here: http://urlquery.net/report.php?id=132932
Thank you, but HELP. Staff opened the file and said "but nothing happened". We use SOPHOS. Do I need to run any scan, or will SOPHOS figure itself out??
One clue is in the file type, it appears to be an executable! That should always be treated with great suspicion. An normal format would likely have been a spreadsheet or word processor file. If in doubt, don't open. If it's not an expected format, don't open. If you can, always scan attachments with your chosen AV system.
"To provide this information electronically, please print attached claim" – didn't that make anyone stop and wonder?
More technical question: does Troj/Agent-YTA need you to run it with administrator access for it to do any harm? I hope, as for any such threat, that one has to follow being clumsy/stupid enough to run the attachment with being stupid/clumsy enough to OK the User Account Control prompt to add oneself to the victim list.
Thanks for the help…received the e-mail today.