Phishing Attacks Bait Employees With Office Scans, Emails

Whether it’s a financial or educational institution, a Fortune 500 company or a small business with a digital presence, their brand, customers and employees are phishing and ultimately ransomware targets.

A recent second wave of a Locky ransomware variant dubbed IKARUSdilapidated uses a botnet of zombie computers to coordinate phishing attacks from an organization’s scanner/printer, or other legitimate source.

The cybercriminal’s goal: encrypt the victims’ computers and demand a bitcoin ransom, according to a blog from Clifton, N.J. based Comodo Threat Intelligence Lab, which discovered the new threat.

The new phishing ploy takes advantage of employees who commonly scan original documents at the company scanner/printer and then email the images to themselves and others. To them, a malware-laden email looks very innocent. The sophistication includes even matching the scanner/printer model number to make it look more common.

This second wave August 2017 phishing campaign carrying IKARUSdilapidated Locky ransomware was two different campaigns launched three days apart. The first featuring the subject “Scanned image from MX-2600N” (Sharp MX2600N is one of the most popular models) took place mostly over 17 hours on August 18. The second (a French language email purportedly from the French post office, featuring a subject including “FACTURE”) played out over a 15-hour period on August 21.  Each continued beyond those surges but in much lesser quantities.

“These malware authors are evolving and changing methods to reach more users and bypass security methods,” Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs, warned in the blog.

Both English and French language phishing approaches affected numerous countries. According to Comodo, the scanned Image attack retargeted 27% of the 54,048 IP addresses used in the first IKARUSdilapidated Locky attacks on August 9-11. The top source countries using the zombie computer botnet remained the same: Vietnam, Turkey, India and Mexico.

Seventeen percent of the computers taken over in early August were Internet Service Providers. “ISPs in general were co-opted heavily in this attack, which points to both the sophistication of the attack and inadequate cyberdefense at their endpoints,” Orhan suggested.

The Comodo Threat Intelligence Lab team (part of Comodo Threat Research Labs) verified the two new ransomware attacks via detections at Comodo-protected endpoints at the front edge of each new attack.

Orhan, said, “Botnets of compromised zombie computers from ISPs are a particularly effective means of attack for criminals to both scale their ransomware attacks and to broadly bombard specific targets in a short-burst type of campaign. The attacks were over so quickly that only preventative measures would have made any real difference. Detection and response would have been too late here.”

Another recent phishing attack on August 23 at Edmonton Canada’s MacEwan University resulted in the loss of $11.8 million. A series of fraudulent emails convinced university staff to change electronic banking information for one of the school’s main vendors.

“One thing has always been the same in phishing attacks: social engineering, i.e., luring people into clicking on a link and providing information so it can be captured and sent off to a drop zone,” William MacArthur, threat researcher at San Francisco-based RiskIQ, explained.

MacArthur added phishing actors adjust the same way security analysts would so it's it a constant game of chess. “Except they have more pieces and always on the offensive.” They also evolve to keep up with the changes in how people work, communicate and use sensitive personal and financial data. “Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms and replicate exactly the apps we trust with sensitive data every day to fool people.”

These attacks go after traditionally less security savvy folks in HR and finance departments. “These people must make sure they are verifying the authenticity of every single email asking for sensitive information.” 

Advertisement. Closing in 15 seconds.