Various Malware Including Crypto Ransomware Now Used in Email Phishing Scams
Crypto ransomware has now eclipsed botnets as one of the biggest threats to enterprises—especially when it comes to email-related schemes. The FBI recently released an advisory to businesses and organizations about SAMSAM, a ransomware variant known to encrypt files on the infected machine, but files across the network as well.
In the past, spear phishing, a targeted form of phishing designed to trick a specific person into divulging access credentials or clicking on malicious links, has largely been employed by espionage campaigns. But things have changed. According to the FBI, cybercriminals used spear phishing schemes on 17,642 victims in 2013, causing an estimated $2.3 billion in damages.
[READ: SAMSAM Hits Healthcare Industry]
Recently, it has been reported that a threat actor group named TA530 has been targeting executives and other high-level employees in an attempt to compromise their machines with various malware. The group is known to use CryptoWall, a ransomware variant that encrypts valuable data and demands a hefty fee to decrypt the files. Other threats in their malware arsenal include the Ursnif ISFB banking trojan and Ursnif/RecoLoad — a point-of-sale (PoS) reconnaissance trojan that's used to target retail and hospitality industries.
These spear phishing attacks use spoofed emails, where the attacker first sends an email pretending to be from the CFO to a manager or someone from the finance department. If the employee responds, the attackers will stage a malicious funds transfer request after gathering information from the victim. The attacker will then prompt the victim to transfer the funds to a bank account using the language they phished from the email threads. There are also other cases of scammers impersonating supplier companies and issuing fake invoices to the CFO. As soon as the funds are wired over, they are immediately moved to other accounts to make it difficult to track the transactions.
The BEC scheme also relies on an information-stealing malware normally sent to targets as email attachments, much like an ongoing campaign that uses a simple keylogger malware to cause substantial damage to its targets. In March 2015, Olympic Vision became the fourth malware used in a BEC campaign and was found to have targeted 18 companies in the US, Middle East, and Asia. In reported cases, Olympic Vision feigns legitimacy and urgency and is sent to an employee via an email attachment. Once opened, a backdoor is installed and infects the victim’s system and steals critical data.
Companies like Seagate, Snapchat, and Sprouts Farmer’s Market were among the businesses that were victimized by this type of scam. By the end of the same month, Pivotal Software, San Francisco-based software and services company was hit by a breach via a phishing scheme that leaked an undisclosed number of employee tax information.
The FBI also recommended that organizations use multi-factor authentication in their financial processes and to scrutinize communications involving financial business transactions. Victims are advised to inform both their banks and the FBI as soon as possible.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale