Fraudulent email red-flags

Firstly, the very fact that an email was sent to a random employee, and not directly to the accounting department, should get alarm bells ringing. Criminals usually have no means to obtain the real email addresses of corporate accountants; they use spam mailing databases, consisting primarily of publicly available contacts — so those emails are usually received by employees in HR, PR, technical support, and so on.

Sometimes the senders of the fraudulent emails write that they’ve lost the correct address, or made a typo while writing it down, so they ask to forward the invoice to accounting, or sometimes they don’t bother themselves with explanations. Anyway, this cannot be an excuse for sending an email to a random address. If the invoice is really needed by one of the company’s employees, they would contact the sender themselves, find out the reasons for the delay in delivery and, if necessary, clarify the email address of the accounting department.

Forwarding unexpected emails to colleagues may do more harm than good, for a fraudulent email forwarded by a co-worker is more likely to work. If you forward an invoice to accountants, they may think that you want it to be paid. And in general, an email from an employee of the same company arouses less suspicion than external correspondence.

Secondly, criminals understand that demanding a large amount of money is a bad idea. It’s less likely that such an invoice will be paid without additional enquiries. That’s why they issue invoices for relatively small amounts — insignificant by the standards of a large company.

Thirdly, in the vast majority of cases these kinds of invoices are for correspondence delivery services. Moreover, the accompanying email is written as vaguely as possible so that it’s not always clear whether the invoice was issued directly by the sender of some documents or by the delivery company.

What are the scammers counting on?

As mentioned earlier, criminals count on the year-end’s heavy workload, folks’ general inattention, and non-specialists “help” in forwarding such emails to the accounting department. But the main reason why such schemes work is impunity. By and large, they’re not afraid of legal consequences. Fraudsters register a real company and send out invoices. Legally, this is a service that was paid for but not provided. Yet if someone were to take this to court, they’d probably be found guilty. But will anyone go to court over such trifling amounts of money?

If you try to search the internet by the name of the company that issued the invoice, you’ll probably find a whole host of indignant comments from businesses that were deceived in a similar way. Presumably, from time to time, criminals change the legal entity trifling amounts — closing one company through bankruptcy and opening another one.

How to stay safe?

To begin with, we highly recommend using security solutions with effective anti-spam technologies at the corporate mail gateway level. As a rule, attackers send such emails in large quantities, which allows us timely classify such emails as spam.

In addition, you should inform employees that an email received unexpectedly from someone unknown demanding a payment or personal data is a definitely a suspicious email. And if they want to forward it somewhere, they should send it only to the information security department with the comment “possible fraud”.

Ideally, it’s a good idea to periodically increase employee security awareness; for example, using the automated online Kaspersky Automated Security Awareness Platform. This would allow employees to be prepared for unexpected emails from attackers, be they simple fraudulent spam emails or sophisticated spearphishing.

That’s copyrighted! Add a link to avoid penalties

One not-so-fine day, an employee receives an e-mail from what seems to be a law firm. In it, the recipient is accused of using an image belonging to the firm’s client in violation of copyright. There are also links to both the image and the page where the awful misdeed is being perpetrated. Both these links are quite real, so this part of the story is readily believable.

Most likely, the picture is a bog-standard stock image, and it’s hard to tell straight off whether it was purchased from the rightful owner or just downloaded on the fly. And the page where it’s posted probably hasn’t seen an update for a while. In short, if the e-mail recipient really wants to find out whether the picture was stolen — and who bears responsibility in such case, this will likely entail lots of back-and-forth correspondence with colleagues and a few not very pleasant meetings.

E-mail threatening penalties for copyright infringement unless the recipient adds a link on their site

However, after cowing the victim, the “law firm” is quick to propose a solution: its “client” won’t take action if, within five working days, the copyright owner is credited on the offending page with a link to the site given in the e-mail.

This is followed by a second round of browbeating: the e-mail senders state categorically that simply deleting the problematic image from the site is not an option. In this case, there will be blood; rather — a lawsuit. Moreover, they frame the threat in intimidating legalese. In particular, they mention the Digital Millennium Copyright Act, which does indeed cover such violations, but for some reason they refer to section 512(c) — defining the limitations on liability for online service providers — which of course has the interests of those providers in mind, not the other way round.

The attackers re-stress that deleting the image is not an option, kindly reminding the victim that a copy of the infringing page can be found in the Internet Archive and used as evidence in court.

The e-mail itself looks pretty official. The scammers took the time to add the real address of some building where the law firm supposedly representing the claimant supposedly has its office.

Skyscraper in downtown Austin, Texas, where the law firm is purportedly based

The domain names in the sender addresses also add credence through the use of fear-inducing words like “law” and “legal”. What’s more, the attackers don’t stay in one place, and constantly register new domains with similarly scary names.

How bad can it get?

By all appearances, the attackers’ goal is to get the victim to supply a “guilty” page with a backlink to the site they specify in the e-mail. Most likely, it’s part of some shady search engine optimization (SEO) business: the more owners of legit sites can be forced to host such links, the faster the sites of some clients they’re promoting will rise high in search results.

What’s so terrible about that, you might ask? Here’s what:

• In the most innocent case, at the other end of the link there’s a fly-by-night site, which will disappear fairly soon. When that happens, the link on your site will point to a 404 page, which isn’t great for your SEO.
• A worse scenario: the site you help to pull up turns out to be so problematic that it gets pessimized by search engines — together with all sites that are linked to it, including yours. Again, your SEO will get it in the neck (plenty more so than in the first case, above).
• Finally, the most dangerous: the promoted site turns out to be phishing or malicious. In this case, you’ll send your site visitors or customers into the arms of cybercriminals. Be in no doubt that when search engines get round to blocking the malicious resource, your site will get a healthy dose of karma.

As such, there are no good options — only least bad, and no benefits to be had for your site at all. It means that the best solution is to ignore the e-mail and its ridiculous claims. To teach your employees how to react to e-mail scams — even the relatively innocent ones mentioned above, as well as far more dangerous kinds like BEC attacks, we recommend holding regular cybersecurity awareness trainings.

• A surge in spam mailings with malicious content to infect the victim’s computer
• Active use of social-engineering techniques in malicious e-mails more typical of spear phishing (adding signatures to mimic specific departments; using business language and context appropriate for the target company; piggybacking current events; referring to real company employees)
• Widespread spoofing — the use of e-mail addresses with domain names similar to the real ones of target organizations (differing only by a couple of characters)

As a result, the creators of malicious spam mailings have been able to disguise them as internal messages and business correspondence between companies, and even as notifications from government agencies. Here are the most illustrative examples we’ve come across this year:

Malware in e-mails

The main trend of the outgoing year has been malicious mailings disguised as business correspondence. To get the recipient to open an attachment or download a linked file, cybercriminals typically try to convince them that the e-mail contains business-relevant information such as a commercial offer or an invoice for delivery of goods. The malware is often placed in an encrypted archive, the password for which is given in the body of the message.

For example, throughout the whole year we encountered the following scheme: attackers gained access to genuine business correspondence (most likely by stealing it from previously infected computers) and sent new e-mails to all participants with malicious files or links. In other words, they were able to develop the conversation in a plausible way. This ruse makes malicious e-mails harder to spot, and increases the likelihood that the victim will fall for it.

In most cases, when a malicious document is opened, either the Qbot or Emotet Trojan is loaded. Both can steal user data, harvest information on a corporate network, and distribute other malware such as ransomware. In addition, Qbot can be used to access e-mail and steal messages; that is, it serves as a source of correspondence for further attacks.

As the end of the year approaches, the topic of malicious e-mails is becoming ever more inventive. For example, in early December, scammers pretending to be a charity organization asked victims to part with their old equipment. Of course, to take part in this noble venture, they had to download a file supposedly containing the list of accepted devices. But in fact, the attachment was a malicious executable file hidden in a password-protected archive.

In another e-mail campaign, under the guise of invoices, attackers sent out tens of thousands of archives containing a malicious Trojan backdoor to allow remote control over the infected computer. Most interestingly, the attached archive had extensions like .r00, .r01, etc. It’s likely that its creators wanted to pass the attachment off as part of a large RAR archive in an attempt to bypass automatic protection systems configured for certain file extensions.

Fake government notifications

E-mails imitating official notifications from ministries and other government departments have become more frequent this year. This trend is especially noticeable in the Russian-language segment of the internet. E‑mails of this type are tailored to the profile of the specific organization. The sender address usually resembles the department’s real domain, and the malicious attachment most often bears a relevant title, such as “Comments on the results of the meeting”. One such attachment contained malicious code to exploit a vulnerability in Equation Editor, a component of Microsoft Office.

Piggybacking current events

In the Russian-language segment of the internet, we also saw a surge in malicious e-mail activity based on the current news agenda. For example, in October, cybercriminals distributed malware under the guise of call-up orders, exploiting Russia’s “partial mobilization”. The e-mails cited the Russian Criminal Code, used the heraldry and style of the Ministry of Defense, and prompted the recipient to download the order via the link provided. In fact, the link pointed to an archive with an executable script that created an executable file and ran it.

In addition, we registered an e-mail purporting to come from Russian law enforcement agencies. The message invited the victim to download a “new solution” to protect against online threats from “hostile” organizations. In reality, however, the program that got installed on the computer was a ransomware Trojan.

How to stay safe

Cybercriminal schemes are becoming ever more sophisticated each year, and the methods of mimicking business correspondence — ever more convincing. So to keep your corporate infrastructure protected against e-mail attacks, pay attention to organizational measures as well as technical. In other words, besides having security solutions both at the corporate mail server level and on all internet-connected devices, we recommend regular cybersecurity awareness training for employees.

How cybercriminals infect victim’s devices

Cybercriminals allegedly intercept active e-mail conversations on business matters and send the recipients an e-mail containing either a malicious file or a link in order to infect their devices with a banking trojan. Such scheme makes those messages harder to detect and increases the chances that recipient will fall for the trick.

Some letters that cybercriminals send to the recipients contains a malicious attachment. In other cases, it has a link which leads to a file placed in a legitimate popular cloud-hosting service. Often, malware is contained in an encrypted archive, with the password mentioned in the e-mail body. To convince users to open attachment or download the file via the link, the attackers usually state that it contains some important information, such as a commercial offer.

Our experts have concluded that these e-mails are being distributed as part of a coordinated campaign that aims to spread banking Trojans.

What kind of malware attackers are using and how dangerous are they?

In most cases when victims opens a malicious document, it downloads and launches the Qbot malware, but our experts has also observed that some of these documents download Emotet instead. Both malware strains are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other network devices. Qbot also can access and steal e-mails.

How to stay safe

In order to stay safe from attacks by Qbot and Emotet (or any other malware spreading via e-mail), we recommend the following:

• Installing a reliable security solution on a mail gateway level — it will automatically filter out spam and malicious messages before end-users even have a chance to make a mistake.
• Providing your staff with basic cybersecurity hygiene training — it can teach them to spot cybercriminal behavior (for example to know that password in the same e-mail with the encrypted archive can serve only one purpose — to deceive antimalware technologies).
• Conducting simulated attacks to ensure that your employees know how to distinguish phishing and malicious e-mails and genuine ones.
• Using a security solution on every endpoint that is connected to the Internet. In this case if your staff fall victim to an attack, it can prevent a file from opening or a malicious link from working.