The ransomware attack that knows where you live

Thanks to Fraser Howard of SophosLabs for his work on this article.

We often hear people saying, “I back myself to spot all the phishes that come my way.”

That’s because many phishing emails contain tell-tale mistakes that arouse suspicion.

Sometimes, there’s a phrase that a native speaker of your language would simply never use, or a truly unusual spelling mistake, or a phone number in the wrong format.

Often, emails that are supposed to be addressed to you as a paying customer start with the impersonal salutation Dear Sir/Madam.

Or they refer to your address only in a very vague and unlikely way, such as Sydney, New South Wales or West Midlands, England.

Unfortunately, if that’s all you are looking out for, you may be at risk from phishing campaigns that put in even the slightest extra effort to “look right.”

Here’s an example that we saw recently that took sufficiently many people by surprise that the BBC went as far as publishing a general warning about it.

When preparing this article, we limited ourselves to a random selection of emails from this campaign, which had targeted people all over the UK, only to find that our sample included someone from Abingdon in Oxfordshire, our very own neck of the woods:

Make no mistake, there are numerous things wrong with this email.

Residents of the UK are entirely used to British currency and its quirky symbol, so they’d write £, not GBP. (And the pound sign goes first, like an American $1, not at the end, like a French 1€.)

Dates in the UK are written with the day first, and often (very annoyingly) with just two digits for the year, as they are here, but they’re usually separated with strokes, so that today would be 14/04/16 rather than 14.04.16.

Writing “forward the payment and transfer the amount” is not only repetitious but confusing; the words “original invoice” should probably have a pronoun or an article such as “your” or “the”; and so on.

But the addresses are spot on in their look, and, as far as we know, are also spot on in correctness.

Our guess, from their consistency in format across this phishing campaign, is that they’re standardised addresses acquired from some earlier data breach.

They were certainly enough to get your attention if you received one of these emails.

The amounts and the names of the creditors vary through the campaign, and they often don’t quite look right, because some of the charges seem unlikely given the services allegedly being billed, so we suspect they’ve been generated randomly.

Neverthless, they’re realistic enough to get you worried about a debt you apparently haven’t paid.

The web links are spread all over the place, but the ones in our random sample all seemed to be perfectly legitimate sites that had been hacked to provide trustworthy-enough landing pages for the crooks.

Hard to find fault

It’s hard to find fault with any recipients who clicked through, given that they probably only wanted to find out more about the alleged debt in order to contest it.

After all, the minor orthographic errors listed above are hardly unusual these days.

Many companies outsource tasks such as support, invoicing, payment processing and debt collection, perhaps using global service providers overseas that don’t follow local usage patterns perfectly anyway.

If you did click through, you’d reach a surprisingly simple but clever trick, no doubt implemented by the crooks to frustrate automatic investigation and analysis by security companies:

CAPTCHAs are widely disliked but hardly unusual these days.

After solving the CAPTCHA, a well-informed user would, we hope, go no further, and delete the ZIP as suspicious.

That’s because the ZIP files used in this campaign contained a .SCR file, rather than the document or spreadsheet you might expect.

The ZIPs in this case are blocked by Sophos products as Mal/DrodZp-A.
The SCR files are blocked as Troj/Ransom-CSQ.

Strictly speaking, .SCR files are Windows screensavers, but screensavers are actually just a special sort of Windows application, so the download is actually asking you to unzip and run a program, not to view a document.

If you’re cautious about files like .DOC and .PDF in unsolicited emails, you should be trebly cautious of Windows executables (software programs).

You won’t be surprised to see what happens if you keep on going and open the .SCR file:

The Maktub ransomware (blocked by Sophos as Troj/Ransom-CSQ) follows the common pattern we have written about many times before: it scrambles your files with an encryption key known only to the crooks, and then offers to sell you back the key.

Interestingly, to distract your attention while the ransomware is doing its thing, and to give the impression that the .SCR file you just ran was a document after all, the malware fires up Microsoft Word and opens up what’s known as a decoy document that is hidden inside the malware:

There are no grammatical errors in this one, because the crooks simply ripped it off from Google (who, ironically, ended up in hot water because the new privacy policy was too vague):

What to do?

We’ve published an article entitled How to stay protected against ransomware to help you out with the ransomware part of this story:

Don’t forget, however, that the crooks behind a campaign like this can vary their malware payload whenever they like.

All they have to do is to change the contents of the ZIP file on one or more of the hacked computers from which they are “borrowing” bandwidth and server space.

They can vary the malware they serve up based on the time, your location, the browser you’re using, the operating system version you’re running, all of which are typically given away by your browser when you click a link.

(Even if that data weren’t provided as a matter of course by your browser, remember that, in this case, the crooks already know where you live.)

Consider the following precautions:

  • Block or quarantine unusual files combinations at your email and web gateways, such as SCR-inside-ZIP files. In the unlikely event that someone you know asks you to trust a peculiar file of that sort, consider contacting them personally, for example by phone, to make sure it really came from them.
  • Don’t rely on contact information provided along with a suspicious invoice to investigate whether the content is suspicious. Use a search engine or existing correspondence from the company to figure out which phone numbers or email addresses to use.
  • Keep in mind that phishing emails don’t become legitimate simply by avoiding glaring errors. Targeted attacks don’t need a lot of personal information to look believable – and, anyway, the crooks can avoid language errors simply by ripping off professional writing from legitimate companies.

If in doubt…chuck it out.

By the way, if you’re still not convinced that cybercrooks and malware are a problem in the Linux world, have a listen to our When Penguins Attack podcast:


(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

Image of snail mail courtesy of Shutterstock.