February 20, 2015Bogus Quotation/Purchase Order Malware Emails
Following up on the other day's dispatch on the NYC parking ticket scam, I wish to publicize what I believe to be an exceptionally damaging campaign by crooks to dig their way into small business bank accounts. The messages in question arrive in the form of requests for quotation or a purchase order for goods or services. Here is one plucked out of today's email flood:
Subject: supply only quotation 16822 in total
Attached are 1 quotes so far they are in excel format so they can be altered if necessary (I normally only send the quotes in PDF so they can’t be altered but Mike asked me not to do this).
The rest to follow tomorrow a.m.
I'm omitting some identifying information about a U.K. company that claims to be the originator of the message. The company has nothing to do with this email, so I choose to keep the innocent just that.
Aside from the abominable grammar, the crook-creator of this campaign also isn't very bright when it comes to generating HTML email. His effort may have been aided by entering correct URLs for company logo images, rather than local file paths. All I see in the message are broken image placeholders.
But don't let the crudeness of the missive mislead you. The attached ZIP file is a loader for one of the nastiest pieces of malware currently in circulation. Commonly known as the Dyre Banking Trojan, this ever-evolving piece of work has an incredibly sophisticated network of bad actors behind it. The sneakiest aspect is that it can act as a man-in-the-middle to intercept communications between an individual user and a financial institution. So, not only can it grab login credentials to use willy-nilly, but it can also inject content into the web page that originates at the bank. For instance, the Bad Guys could use the login credentials to nearly wipe out the account, but the next time the human user logs in, the bank's web page shows a full balance, as if nothing is amiss. The malware is wired to make this mysterious behavior work under Windows in Internet Explorer, Chrome, and Firefox. Tomorrow? Who knows what other systems could be affected.
[You don't have to be a genius (or English major) to take advantage of these sophisticated malware campaigns. Many are for rent, and the malware contains an identifier that lets the true leader know whom to compensate for each infected computer. If you are technically inclined, Dell has an excellent writeup about Dyre at http://www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan/. It's a couple of months old, so the software has most likely evolved beyond the capabilities described there.]
I worry greatly for small businesses who receive these types of emails with requests for price quotes and purchase orders from companies the recipient has never heard of before. It's a tough business world out there, and any chance for increased business is a massive lure. Someone receiving such an email message might think he or she will become this week's hero by snagging some fresh business that came in over the transom.
The wary recipient might think twice about opening the attachment. But the hope that this message is the legitimate one (so why not take a look?) draws that itchy mouse finger to double click the attachment.