New email phishing/trojan technique I've come across

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
Below is the email I just got from my CFO after she tried to open the attachment -- which I have macros blocked via group policy on.

From: gcromwell@actualthirdparty.com <gcromwell@actualthirdparty.com>
Date: Wed, Feb 1, 2017 at 9:23 AM
Subject: FW: Re: invoice #31024244
To: previousaccountantname@ourcompany.org


my company just got this from ourcompany.org.
can you confirm this invoice was really issued by you?

Invoice #31024244 (This file had a link of
http://www.timeconsulting.co.th/api/get.php?id=base64string)
Thanks

George Cromwell
Senior Accountant
Tel: 443-261-6163
Fax: 443-261-5725

Anyway, having office macros blocked in group policy saved us as neither our trendmicro av nor gmail had a problem. Also note that the wording of the email was good enough to get a higher up end user to open the file. Just wanted to warn you guys out there.

The virustotal scan of the file is here: https://www.virustotal.com/en/file/...cfacd612c05618b576988a67acc7be9a145/analysis/
 

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
Person "higher up" doesn't mean they have common sense.

You don't open an attachment from someone you don't know. Not to mention if you aren't the accountant then you wouldn't even have a reason to be receiving an invoice from anyone outside of the company.

On top of that they gave the invoice number in the email. You don't have to open the attachment to verify it is in fact from your company. You simply look in your own records.

This is why I also disable links.
 

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
Person "higher up" doesn't mean they have common sense.

You don't open an attachment from someone you don't know. Not to mention if you aren't the accountant then you wouldn't even have a reason to be receiving an invoice from anyone outside of the company.

On top of that they gave the invoice number in the email. You don't have to open the attachment to verify it is in fact from your company. You simply look in your own records.

This is why I also disable links.
All very true. The user is Chief Financial Officer here, so she is the head accountant. She claimed that we have dealings with the company the email spoofed. It's just the latest iteration in trying to get people to open the trojan file -- and it freaking worked so far as that goes.
 

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
How is this new? This is basic spear phishing and most certainly not new.
Well I thought it was clever that it looked like a reply from a real person, so it's not as obvious a scam as one telling you to check an invoice or whatever. It was also interesting that there wasn't even an attached file, but a link to a server, so your email system wouldn't even catch anything unless it actively blocks html links.

Sorry to waste your time.
 

bds1904

Gawd
Joined
Aug 10, 2011
Messages
1,007
Well I thought it was clever that it looked like a reply from a real person, so it's not as obvious a scam as one telling you to check an invoice or whatever. It was also interesting that there wasn't even an attached file, but a link to a server, so your email system wouldn't even catch anything unless it actively blocks html links.

Sorry to waste your time.

Wasn't a waste of time at all, just a bit of an eye opener for people to block HTML links in outlook too.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
700
There is no waste of time, but you seemed surprised by this fairly common technique. It is generally used to target specific targets which means the attacker has some knowledge of your company. I would suggest putting your user population on alert and be on the lookout for additional attacks. I will add if you had used content filtering to block known malicious sites it would have been blocked. That site has been known to be malicious since at least May of 2016. Best practices include content filtering that block known malicious and unknown / uncategorized sites. If you are not using content filtering this should be your wake up call. You may want to look at sandboxing also.
 
Top