Sorpresa! JasperLoader targets Italy with a new bag of tricks

Threat Research

Nick Biasini and Edmund Brumaghin authored this blog post.

Over the past few months, a new malware loader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.

The attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There’s also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware.

Read More >>

Share:

GDPR One Year On: What Have We Learned?

It’s been an eventful year since the EU’s General Data Protection Regulation, or GDPR, became enforceable one short year ago on May 25, 2018. One of the biggest impacts of the GDPR has been the way in which it has altered the conversation about data privacy. Data privacy has become an increasingly global issue, and the GDPR and other similar regulations have been a forcing factor in getting companies and countries to begin taking customer privacy more seriously and strengthening their risk posture

A new Cisco white paper, Privacy Gains: Business Benefits of Privacy Investment, co-authored with the Beacon Research Group, looks at the ways privacy is driving value for enterprises worldwide, beyond complying with regulatory standards. The paper analyzes and details the benefits of privacy and contemplates the future state of data privacy.

Based on global survey data from the Cisco 2019 Data Privacy Benchmark Study, and Beacon’s qualitative conversations with select data privacy leaders worldwide, the paper  identifies top business benefits realized through privacy investments including better agility and innovation, operational efficiencies, and competitive advantage, and fewer, less costly, data breaches.  As one CEO put it, “Good privacy and being compliant can vastly reduce the risk of a data breach.”

The paper also sheds light on the challenges that privacy professionals face across disparate geographies and how they see privacy creating value. Our conversations with business leaders reveal that privacy-related sales delays are frequently caused by issues or misalignment during the vendor contracting process. Specifically, when companies’ privacy practices or policies are subpar, or they are unwilling to share their current practices, the result can be delays in contract signing or even product redesigns. Furthermore, privacy leaders across the globe clearly articulated the ways in which privacy creates business value for their organizations, and the message is clear: good privacy is good for business.

Our Recommendations

Invest in a comprehensive privacy program and determine the outcomes you want. Then figure out how to curate data to help achieve your business objectives. Untended and uncurated assets can become liabilities. When you actively curate data, you not only achieve compliance, but also efficiency, effectiveness and profitability. Embed privacy-awareness into your culture using employee training and awareness programs to communicate the value of privacy to all levels of your organization. Be transparent and accountable. Demonstrate your commitment to protecting and respecting personal data, no matter where it comes from or where it flows.

For a look at Cisco’s eventful privacy journey over the past few years, check out this infographic.

More Information

Cisco and Beacon Privacy Gains White Paper

Cisco 2019 Data Privacy Benchmark Study

Cisco Data Protection and Privacy

Share:

Google stored some passwords in plain text for 14 years

by

Oops, Google said on Tuesday: you know that domain administrator’s tool to reset passwords in the G Suite enterprise product? The one we implemented back in 2005, as in, 14 years ago?

We goofed, Google said. The company’s been storing copies of unhashed passwords – as in, plaintext, unencrypted passwords – all this time.

From a blog post written by Google vice president of engineering Suzanne Frey:

We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards.

Only a small number of enterprise customers were affected, she said, though Google hasn’t put a number on it. People using the free, consumer version weren’t affected. Google’s notified a subset of its enterprise G Suite customers that some of their passwords were stored in plaintext in its encrypted internal systems.

Frey said that no harm came of it, as far as Google can ascertain, and it’s since been fixed:

To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.

How it’s supposed to work

The way Google typically handles passwords is by scrambling them with a hashing algorithm so humans can’t read them. It then stores hashed passwords along with their usernames. Then, both usernames and hashed passwords are encrypted before being saved to disk.

The next time a user tries to sign in, Google again scrambles their password with the same hashing algorithm. If the result matches the stored string, Google knows you must have typed the correct password, so your sign-in can proceed.

As Frey explained, the beauty of hashing is that it’s one-way: scrambling a password is easy, but it’s nearly impossible to unscramble it. So, if someone gets your scrambled password, they won’t be able to backtrack to your real password. Presuming, that is, that it’s also been salted. A salt is a random string added to a password before it’s cryptographically hashed.

The salt isn’t a secret. It’s just there to make sure that two people with the same password get different hashes. That stops hackers from using rainbow tables of pre-computed hashes to crack passwords, and from cross-checking hash frequency against password popularity. (In a database of unsalted hashes, the hash that occurs most frequently is likely to be the hashed version of the notoriously popular “123456”, for example.)

The downside of that one-way password hashing street is that you’re out of luck if you forget your password: Google can’t help you out by unscrambling your password for you. What it can do is to reset your password to a temporary password, make it valid only for one-time use, and then require you to pick a new one.

That’s the way it should work, anyway, though we’ve seen plenty of cases where forgetful users get emailed their plaintext password: an indication that their passwords are being stored, in plaintext, unsalted and unhashed.

Goodbye, handy dandy password recovery tool

To avoid storing passwords in plaintext, and to still be able to help out users who’ve forgotten their passwords, Google in 2005 introduced a tool for password setting and recovery to G Suite.

The tool, located in the admin console, enables admins to upload or manually set user passwords for their company’s users. Google’s intent behind introducing the tool was to help with onboarding of new users, such as when a new employee needs an account on the first day they start work, and also for account recovery.

Well, we can kiss that goodbye. Google’s removed the feature.

But wait, there’s more: Google says that when it was troubleshooting its new G Suite customer sign-up flows, it discovered that starting in January 2019, it also inadvertently stored a subset of unhashed passwords in its secure encrypted infrastructure. The passwords were there for, at most, 14 days. That glitch has also been fixed. And like the other glitch, this second one apparently didn’t lead to anybody getting at the passwords.

Sorry, Google said: we’ll try to ensure this is an isolated incident.

So not isolated in the broader scheme of password storage

Unfortunately, it’s not all that isolated on the broader scale of tech giants – or little guys, for that matter – storing passwords unencrypted, in plain text. In March, user data acquired via Facebook by third-party apps was found lying around in the cloud.

Initially, the damage was said to involve hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram users.

Whoops – make that millions of Instagram users, Facebook went on to say in April, as in, 100x more than we thought.

The moral of the story is that tech behemoths like Google and Facebook sometimes screw up and store passwords in plaintext, which makes it a pretty good bet that any other smaller online service that employs less slick technology and far fewer security engineers might very well slip up and do the same, be it by mistake or because they don’t know any better.

Plaintext passwords = bad. Plaintext passwords = not all that uncommon.

Therefore, two-factor authentication (2FA) = a good way to save your bacon. Slather it on everywhere you can: 2FA, or U2F (Universal 2nd Factor) security keys, mean that a password alone isn’t enough for crooks to raid your account.

Tor Browser for Android 8.5 offers mobile users privacy boost

by

After nine months of alpha testing, a stable release of the Tor browser for Android can now be downloaded from Google’s Play store or direct from the Project’s website.

Tor’s been available in Windows, Mac and Linux versions for years, but the appearance of Tor Browser for Android 8.5 is still an important jump towards the mainstream for a browser whose user base is still dominated by in-the-know privacy enthusiasts.

As the Tor Project release notes remind us:

Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet. In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.

The point of Tor Android is that users should get exactly the same level of privacy and anonymisation they would when using the desktop versions.

Apart from a few gaps that need to be ironed out, the list of protections in 8.5 includes:

Site isolation which stops third-party trackers from ‘following’ users from site to site. Anti-surveillance – anyone monitoring the connection (an ISP, say) can see the user is connecting to Tor but not which websites they end up viewing. Anti-fingerprinting – unlike most mainstream browsers, Tor for Android should make it a lot harder for websites to track users by noticing unique characteristics of their browser and device. Tor encrypts all traffic, routing it through at least three dedicated relays before it reaches its destination. The ability to visit sites an ISP might be blocking (a feature useful to countries where official censorship is an issue) and Tor sites with special Onion addresses. Tor also bundles extensions such as HTTPS Everywhere and NoScript. Limitations

As with desktop versions, Tor for Android is based on Firefox version 60.7, which does have some implications – as Tor users found out a few weeks back when a glitch at the Mozilla end temporarily disabled NoScript.

Using Tor for Android is also going to be slower than other mobile browsers both in terms of session set up, during which it establishes a connection, as well as browsing. While browsing websites, some page elements might not work, most obviously when the browser is configured via Security Settings to the ‘safest’ security level that blocks media, images and video.

Orfox and Orbot

Until now the only way to use the Tor network on Android was by using Orfox or Orbot.

Orfox will now be superseded by Tor for Android while Orbot, which offers slightly different features, will continue is separate development.

Mozilla fixes bugs, improves privacy in latest Firefox release

by

Mozilla rolled out version 67 of its Firefox browser this week, fixing some security bugs and introducing a host of privacy features.

The latest release fixes two critical security flaws, both affecting memory safety.

Mozilla also fixed 11 high-impact flaws, six moderate ones, and two low-impact ones in the release.

High-impact bugs include CVE 2019-9815 which enables a side channel attack in which one program can steal information from another on a Mac. To fix this, Mozilla uses an Apple option to switch off hyperthreading.

Mozilla also fixed several high-impact bugs that could cause the browser to crash, potentially enabling an attacker to exploit system instability. These included a flaw in the program’s image processor that could allow a malformed PNG image to destabilize it, and other bugs in the browsers event listener manager, and its implementation of XMLHttpRequest (a commonly used feature on Ajax web sites that constantly send data between the server and the browser).

There were also a couple of bugs specific to different operating systems. A bug in WebGL could cause buffer overflows in some Linux graphics drivers. Another bug in the Windows version allows attackers to exploit the browser’s built-in crash reporter and escape the sandbox that it uses to protect the host computer from browser processes.

The latest release also features the fingerprint blocking technology that Naked Security covered in March. This technique, borrowed from the Tor implementation of the Firefox browser, prevents trackers from using information such as your browser’s resolution and colour depth to uniquely identify you across different websites.

You can now also make Firefox check for cryptominers on the websites that it visits. These are pieces of JavaScript embedded in a website’s code that force your computer to mine for cryptocurrency, often without your knowledge. Attackers who compromise a web site with this code can tie up your computing resources in their pursuit of digital currency, normally opting for the anonymity-focused Monero.

In the latest edition of Firefox, you can reach these options by clicking the small ‘i’ icon in the address bar, and then under Content Blocking, clicking on the gear symbol on the right. This will let you select these options individually.

Firefox also added other privacy features including the ability to disable individual browser extensions and save passwords in private browsing mode.

Mozilla fixes bugs, improves privacy in latest Firefox release

by

Mozilla rolled out version 67 of its Firefox browser this week, fixing some security bugs and introducing a host of privacy features.

The latest release fixes two critical security flaws, both affecting memory safety.

Mozilla also fixed 11 high-impact flaws, six moderate ones, and two low-impact ones in the release.

High-impact bugs include CVE 2019-9815 which enables a side channel attack in which one program can steal information from another on a Mac. To fix this, Mozilla uses an Apple option to switch off hyperthreading.

Mozilla also fixed several high-impact bugs that could cause the browser to crash, potentially enabling an attacker to exploit system instability. These included a flaw in the program’s image processor that could allow a malformed PNG image to destabilize it, and other bugs in the browsers event listener manager, and its implementation of XMLHttpRequest (a commonly used feature on Ajax web sites that constantly send data between the server and the browser).

There were also a couple of bugs specific to different operating systems. A bug in WebGL could cause buffer overflows in some Linux graphics drivers. Another bug in the Windows version allows attackers to exploit the browser’s built-in crash reporter and escape the sandbox that it uses to protect the host computer from browser processes.

The latest release also features the fingerprint blocking technology that Naked Security covered in March. This technique, borrowed from the Tor implementation of the Firefox browser, prevents trackers from using information such as your browser’s resolution and colour depth to uniquely identify you across different websites.

You can now also make Firefox check for cryptominers on the websites that it visits. These are pieces of JavaScript embedded in a website’s code that force your computer to mine for cryptocurrency, often without your knowledge. Attackers who compromise a web site with this code can tie up your computing resources in their pursuit of digital currency, normally opting for the anonymity-focused Monero.

In the latest edition of Firefox, you can reach these options by clicking the small ‘i’ icon in the address bar, and then under Content Blocking, clicking on the gear symbol on the right. This will let you select these options individually.

Firefox also added other privacy features including the ability to disable individual browser extensions and save passwords in private browsing mode.

The city of Baltimore is being held hostage by ransomware

by

The US city of Baltimore has been partially paralyzed since 7 May, when a ransomware attack seized parts of the government’s computer systems.

As soon as the city discovered that it had been attacked, it informed the FBI and took its systems offline in an effort to keep the infection from spreading.

But not before the attack took down voicemail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Real estate transactions were also shut down.

It was lousy timing, given that this is one of the real estate industry’s busiest times of the year. The Baltimore Sun reported that hundreds of property sales could have been affected: A real estate agent with access to industry data told the newspaper that at least 1,500 sales were pending in Baltimore.

But a sliver of good news came on Monday, when Mayor Bernard Young’s office announced that the city had developed a manual workaround that would allow real estate transactions to resume during the outage.

On Friday, the mayor’s office had said that the city is “well into the restorative process.” The work includes rebuilding some systems in a way that will ensure that when business functions are restored, they’ll be functioning securely.

According to Fox News, a recent analysis of the city’s cybersecurity defenses found that the network was “out of date in terms of security, staffing, and infrastructure to prevent attacks.”

Unlike both Greenville and Atlanta – which was hit by a SamSam attack last year – Baltimore doesn’t have an insurance policy to cover cybersecurity incidents. Baltimore’s head of computer security reportedly told City Council members last year at a budget hearing that the city needed one, but it didn’t happen.

Expect that to change: a spokesman for Young told the Baltimore Sun that the mayor has now directed the city’s finance and law departments to get coverage.

A long mop-up

In Friday’s update, Mayor Young’s office said that it could take months to restore all services. From the media release:

I am not able to provide you with an exact timeline on when all systems will be restored. Like any large enterprise, we have thousands of systems and applications.

The city has established a web-based incident command, shifted operations into manual mode and established other workarounds to keep delivering services.

The ransom: 13 Bitcoins for all you can eat

Baltimore has a choice: it can spend months getting its technology back online, or it can give in to the attackers’ demands. 13 Bitcoins – worth about US $100,000 – is now standing between Baltimore and what would purportedly be a full restore of its systems. Mayor Young told local reporters on Monday that the city might pay up at some point, but at this point, that’s a negative:

Right now, I say no.

But in order to move the city forward, I might think about it.

Ransomware galore

In recent months, we’ve covered several severe attacks, including one in which the malware author behind a new type of ransomware called MegaCortex geeked out and distracted victims with Matrix film references.

We saw another attack at the beginning of the year, against a slew of US newspapers, that delayed their publication. And then in February, a targeted attack against a hospital involved two GandCrab ransomware attacks.

What to do?

Defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that access to RDP (Remote Desktop Protocol) is secure and finishes with regular, comprehensive, off-site backups, with much else in between.

To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.

Fortunately, the same advice that we gave to help to protect from SamSam will also help against ransomware – and cybercrime – in general, so please revisit it now.

We also urge you to read the SophosLabs 2019 Threat Report, in which Sophos researchers analyze the state of play in cybercrime today, including a section on ransomware.

Finally, visit sophos.com to read more about anti-ransomware technologies, including Sophos Intercept X.

Fake cryptocurrency apps crop up on Google Play as bitcoin price rises

ESET researchers have analyzed fake cryptocurrency wallets emerging on Google Play at the time of bitcoin’s renewed growth

May 2019 has seen bitcoin growing, with its price climbing to its highest points since September 2018. Not surprisingly, cybercrooks were quick to notice this development and started upping their efforts in targeting cryptocurrency users with various scams and malicious apps.

One such app was recently spotted on Google Play by Reddit users, impersonating the popular hardware cryptocurrency wallet Trezor and using the name “Trezor Mobile Wallet”. We haven’t previously seen malware misusing Trezor’s branding and were curious about the capabilities of such a fake app. After all, Trezor offers hardware wallets that require physical manipulation and authentication via PIN, or knowledge of the so called recovery seed, to access the stored cryptocurrency. Similar constraints apply to its official app, “TREZOR Manager”.

Analyzing the fake app, we found that:

it can’t to do any harm to Trezor users given Trezor’s multiple security layers; it is connected to a fake cryptocurrency wallet app named “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether”, which is capable of scamming unsuspecting users out of money; and both these apps were created based on an app template sold online.

We have reported the fake Trezor app to Google’s security teams and reached out to Trezor about the publication of this blogpost. Trezor confirmed the fake app did not pose a direct threat to their users. However, they did express concern that the email addresses collected via fake apps such as this one could be later misused for phishing campaigns targeted against Trezor users.

At the time of writing, neither the fake Trezor app nor the Coin Wallet app are available on Google Play.

The app masquerading as a mobile wallet for Trezor was uploaded to Google Play on May 1, 2019 under the developer name “Trezor Inc.”, as seen in Figure 1. Overall, the app’s page on Google Play appeared trustworthy – the app name, developer name, app category, app description and images all seem legitimate at first glance. At the time of our analysis, the fake app even came up as the second result when searching for “Trezor” on Google Play, right after Trezor’s official app.

Figure 1. The fake app on Google Play

What does it do?

The convincing disguise, however, begins and ends on Google Play. After installation, the icon that appears on users’ screens differs from the one seen on Google Play, which serves as a clear indicator of something fishy. The icon of the installed app has “Coin Wallet” in it, as seen in Figure 2.

Figure 2. The icon of “Trezor Mobile Wallet” after installation

Furthermore, when users launch the app, a generic login screen is displayed, with no mention of Trezor, as seen in Figure 3. This is another indicator we are not dealing with a legitimate app. This generic screen is used to phish for login credentials – but it is unclear exactly what credentials, and what possible use they could be to attackers. Either way, whatever users enter into the fake login form is sent to the attacker’s server, as shown in Figure 4.

Figure 3. The generic login screen displayed by the fake app

 

Figure 4. The entered credentials are sent to the attacker’s server

As seen in Figure 4, the server used to harvest credentials from the fake Trezor app is hosted on coinwalletinc[.]com. Looking into the domain led us to another fraudulent app, named “Coin Wallet” on its website and “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether” on Google Play. This app is described in the following section of this blogpost.

The Coin Wallet app and the fake Trezor app described in the previous section have a lot in common – besides using the same server, they also overlap in code and interface. The Coin Wallet app uses the same icon that we have seen in the fake Trezor app after installation.

On its website, the Coin Wallet app is described as the “World’s leading Coin Wallet”, as seen in Figure 5.

Figure 5. The Coin Wallet app’s deceptive presentation on its website

The website contains a link to Google Play, where the app was available from February 7, 2019 until May 5, 2019 under the name “Coin Wallet – Bitcoin, Ripple, Ethereum, Tether”, as seen in Figure 6. During that time, it was installed by more than 1000 users.

The website also appears to link to Apple’s App Store, but clicking the “Available on the App Store” button only leads to the URL of the PNG image.

Figure 6. The fraudulent Coin Wallet app on Google Play

What does it do?

The app claims it lets its users create wallets for various cryptocurrencies. However, its actual purpose is to trick users into transferring cryptocurrency into the attackers’ wallets – a classic case of what we named wallet address scams in our previous research of cryptocurrency-targeting malware.

How this works is that the app pretends to generate a unique wallet address where users can transfer their coins. In reality, this address belongs to the attackers’ wallet, as only they have the private key necessary for accessing the funds. The attackers have one wallet for each supported cryptocurrency – 13 wallets altogether – and all victims with any specific targeted cryptocurrency are given the same wallet address.

Looking at the shared graphic elements of this and the fraudulent Trezor app, it seems that both have been created on the same basis. A Google search for “coinwallet app template” returns a generic “Android cryptocurrency wallet template” available for $40. The template itself is a benign asset turned malicious in the hands of attackers; however, we see here how such assets may be used by more attackers to create deceptive apps quickly and cheaply.

If bitcoin continues its growth trend, we can expect more cryptocurrency scam apps to emerge in the official Android app store and elsewhere. When installing apps, it is important to stick to some basic security principles – even more so when money is at stake.

Only trust cryptocurrency-related and other finance apps if they are linked from the official website of the service Only enter your sensitive information into online forms if you are certain of their security and legitimacy Keep your device updated Use a reputable mobile security solution to block and remove threats Package Name Hash Detection com.trezorwalletinc.cryptocurrency 0021A89588C8CEB885A40FBCCA6DD76D Trojan.Android/FakeApp.KO com.walletinc.cryptocurrency EE9E4AD693A0F0C9971145FB0FB0B85C Trojan.Android/FakeApp.KO Cryptocurrency Wallet BTC 17jAe7hTZgNixT4MPZVGZD7fGKQpD9mppi DOGE DGf6dT2rd9evb4d6X9mzjd9uaFoyywjfrm ETH 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C LTC Lg64xV4Mw41bV3pTKc5ooBJ4QZ81gHUuJ6 BCH qq9cjckr3r9wl5x4f3xcfshpcj72jcqk9uu2qa7ja2 DASH Xu6mkZNFxSGYFcDUEVWtUEcoMnfoGryAjS ZEC t1JKPTwHJcj6e5BDqLp5KayaXLWdMs6pKZo XRP raPXPSnw61Cbn2NWky39CrCL1AZC2dg6Am USDT 0x69919d83F74adf1E6ACc3cCC66350bEA4b01E92C XLM GDZ2AT7TU6N3LTMHUIX6J2DZHUDBU74X65ASOWEZUQGP7JMQ237KDBUX TRX TAm4fPA6yTQvaAjKs2zFqztfDPmnNzJqi2 ADA DdzFFzCqrhswWLJMdNPJK8EL2d5JdN8cSU1hbgStPhxDqLspXGRRgWkyknbw45KDvT2EJJhoPXuj2Vdsj6V6WWM5JABoZ4UhR7vnRopn NEO AJqeUDNrn1EfrPxUriKuRrYyhobhk78zvK 23 May 2019 – 11:30AM

Legal Threats Make Powerful Phishing Lures

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some various of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.}

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think.

Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence.

KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.

Legal Threats Make Powerful Phishing Lures

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

On or around May 12, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some various of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.}

Hi,

The following {e-mail | mail} is to advise you that you are being charged by the city.

Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.

Please download and read the attached encrypted document carefully.

You have 7 days to reply to this e-mail or we will be forced to step forward with this action.

Note: The password for the document is 123456

The template above was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward (e.g., the salutation), but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a trojan that is typically used to drop additional malware on the victim’s computer. Previous detections of this trojan have been associated with ransomware, but the attackers in this case can use the trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — wpslaw.com — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customized or convincing. But I could see a kit that tried only slightly harder to get the grammar right and more formally address the recipient doing quite well: Legitimate-looking legal threats have a way of making some people act before they think.

Don’t be like those people. Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and reach out to them over the phone if need be. And resist the urge to respond to these spammers; doing so may only serve to encourage further “mailious” correspondence.

KrebsOnSecurity would like to thank Hold Security for a heads up on this phishing kit.