New email phishing/trojan technique I've come across

[DocSavage]

Below is the email I just got from my CFO after she tried to open the attachment -- which I have macros blocked via group policy on.

From: [email protected] <gcromwell@actualthirdparty.com>
Date: Wed, Feb 1, 2017 at 9:23 AM
Subject: FW: Re: invoice #31024244
To: [email protected]


my company just got this from ourcompany.org.
can you confirm this invoice was really issued by you?

Invoice #31024244 (This file had a link of
http://www.timeconsulting.co.th/api/get.php?id=base64string)
Thanks

George Cromwell
Senior Accountant
Tel: 443-261-6163
Fax: 443-261-5725

Anyway, having office macros blocked in group policy saved us as neither our trendmicro av nor gmail had a problem. Also note that the wording of the email was good enough to get a higher up end user to open the file. Just wanted to warn you guys out there.

The virustotal scan of the file is here: https://www.virustotal.com/en/file/...cfacd612c05618b576988a67acc7be9a145/analysis/

 

[bds1904]

Person "higher up" doesn't mean they have common sense.

You don't open an attachment from someone you don't know. Not to mention if you aren't the accountant then you wouldn't even have a reason to be receiving an invoice from anyone outside of the company.

On top of that they gave the invoice number in the email. You don't have to open the attachment to verify it is in fact from your company. You simply look in your own records.

This is why I also disable links.

 

[DocSavage]

Person "higher up" doesn't mean they have common sense.

You don't open an attachment from someone you don't know. Not to mention if you aren't the accountant then you wouldn't even have a reason to be receiving an invoice from anyone outside of the company.

On top of that they gave the invoice number in the email. You don't have to open the attachment to verify it is in fact from your company. You simply look in your own records.

This is why I also disable links.

All very true. The user is Chief Financial Officer here, so she is the head accountant. She claimed that we have dealings with the company the email spoofed. It's just the latest iteration in trying to get people to open the trojan file -- and it freaking worked so far as that goes.

 

[Nicklebon]

How is this new? This is basic spear phishing and most certainly not new.

 

[DocSavage]

How is this new? This is basic spear phishing and most certainly not new.

Well I thought it was clever that it looked like a reply from a real person, so it's not as obvious a scam as one telling you to check an invoice or whatever. It was also interesting that there wasn't even an attached file, but a link to a server, so your email system wouldn't even catch anything unless it actively blocks html links.

Sorry to waste your time.

 

[bds1904]

Well I thought it was clever that it looked like a reply from a real person, so it's not as obvious a scam as one telling you to check an invoice or whatever. It was also interesting that there wasn't even an attached file, but a link to a server, so your email system wouldn't even catch anything unless it actively blocks html links.

Sorry to waste your time.

Wasn't a waste of time at all, just a bit of an eye opener for people to block HTML links in outlook too.

 

[Nicklebon]

There is no waste of time, but you seemed surprised by this fairly common technique. It is generally used to target specific targets which means the attacker has some knowledge of your company. I would suggest putting your user population on alert and be on the lookout for additional attacks. I will add if you had used content filtering to block known malicious sites it would have been blocked. That site has been known to be malicious since at least May of 2016. Best practices include content filtering that block known malicious and unknown / uncategorized sites. If you are not using content filtering this should be your wake up call. You may want to look at sandboxing also.