Millions of Amazon Users Targeted with Locky Ransomware via Phishing Scams
Amazon users are advised to be on the lookout for a massive phishing campaign that targets them. According to reports, users of the popular e-commerce platform are being emailed Microsoft Word documents containing macro code that downloads Locky, a ransomware variant discovered in February.
Research from Comodo Threat Research Labs said details of Amazon users have been phished with fake emails claiming to be from the eCommerce giant, with a sender address firstname.lastname@example.org and subject line “Your Amazon.com Order Has Dispatched (#code).”
The email itself has no content, apart from a Microsoft Word document included as an attachment. The Word document is blank and only contains macros, a set of codes designed to automate frequently used tasks in applications. Given their potentially harmful nature, macros are disabled by default in Microsoft Office products.
Recipients of the infected file are unknowingly prompted to enable the contents of the document, after which an executable file will be fetched from the web and then run. Comodo’s researchers have identified the payload to be the Locky ransomware.
Locky (detected by Trend Micro as Ransom_LOCKY.A) encrypts files that match its long list of extensions, some of which comprise media and source code files as well as Office and PDF documents, and even the user’s bitcoin wallet data. It also terminates the computer’s ‘shadow copy,’ a built-in Windows feature that automatically backs up copies or snapshots of the computer’s files. It can also encrypt files on any mounted drive it can access, such as removable drives and network shares (viz. servers and other attached computers running Windows, Linux and OS X).
The malware appends a .locky extension to the encrypted files, after which it changes the desktop wallpaper into an image that serves as the ransom note, informing the victim that the files have been held hostage. HTML files containing the same warning are left in all folders where there is an encrypted file. The victim is then instructed to make a payment via Tor network in order to get the files back, with payments ranging between 0.5 and 1 bitcoin ($235–$470 as of May 26, 2016).
Comodo’s alert said the phishing campaign started last May 17th and lasted for 12 hours, and is estimated to have sent out as much as 30 million spam messages claiming to be an Amazon.com shopping order update, while security firm Proofpoint estimated that these spam messages were sent to 100 million emails. The report also noted the campaign used botnets running on hijacked virtual and consumer machines.
[From the Security Intelligence Blog: Locky Ransomware Spreads via Flash and Windows Kernel Exploits]
Despite its relatively recent entrance to the ransomware scene, Locky gained notoriety when it crippled the Hollywood Presbyterian Medical Center and compelled the hospital to pay $17,000. It has since infected systems far and wide, including a spate of attacks on healthcare facilities in the U.S., the HQ of India’s Maharashtra government, Australia Post consumers, the Whanganui District Health Board in New Zealand and organizations in Hong Kong such as The Chinese University of Hong Kong’s Faculty of Medicine.
ESET’s Ondrej Kubovič noted that the European countries with the most significant increase in detection rates were Luxembourg (67%), Czech Republic (60%), Austria (57%), Netherlands (54%) and the UK (51%). Japan, New Zealand and Australia are experiencing a similar increase at 71%, 53% and 45%, respectively (as of May 25, 2016).
The United States Computer Emergency Readiness Team (US-CERT) recommends that individual users and organizations take preventive measures to protect their devices and network such as employing regular data back-up and recovery plan, disabling macros for files received via email and being cautious of unsolicited emails, especially those with suspicious attachments. Amazon also has a Help page where its customers can report phishing scams.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.