That’s a dangerous thing to do, which it why we advise you, “Never do it!”, but if you fall for it, you have effectively authorized malware to run, even if you are fully patched.
Word document exploits, on the other hand, generally rely on you being unpatched, but once you’ve opened a booby-trapped document, it’s already too late.
The booby-trapped document then takes advantage of this temporary control to download and install an item of malware chosen by the crooks.
Flying under the radar
If you are trying to infect as many people as possible to make $200 off each of them as soon and as visibly as you can, you don’t have to behave with any subtlety once you’re in.
Indeed, ransomware deliberately draws attention to itself once it’s activated, by way of encouraging you to pay up.
The Hawkeye attack
Even if you’ve heard of it before, it’s still worth reminding yourself how the scam works, which is something like this:
- Buy booby-trapped documents that use the Microsoft Word Intruder (MWI) exploit tool. If opened on an unpatched version of Windows, these documents automatically install chosen malware on the victim’s computer, with no user clicks required.
- Buy a commercially-available keylogger and configure the booby-trapped files to download and install it. (This case used the now-defunct Hawkeye keylogger.)
- Pick a broad industry sector, e.g. leather and leather products.
- Send a small number of scam emails (typically a few thousand in total) pretending to be quotation requests or payment information, each containing a booby-trapped MWI document.
- Infect victims with the keylogger and wait until they type in their email passwords.
- Use the stolen email passwords to watch their inboxes, until you see that a customer has been invoiced and is about to pay.
- Email the customer from the hijacked account, instructing the customer to use a new account number for future payments.
- Take the money yourself and quickly move it where it can’t easily be found or recovered.
What to do?
- Patch promptly. The booby-trapped documents in this attack relied on a security hole that had been patched years before.
- Keep your security software up-to-date. A good anti-virus can block attacks like this at several points, and you win if you can stop any one of them, starting with the original inbound email.
- Beware of unsolicited attachments. This can be hard if your job is business development and the email is a Request For Quotation, but avoid opening just any old document.
- Consider using a stripped-down document viewer. Microsoft’s own Word Viewer, for example, is usually much less vulnerable than Word itelf because it’s much simpler. (It doesn’t support macros, either, which protects against Locky-type attacks, too.)
- If your email software supports it, use 2FA. That’s short for two-factor authentication, those one-time codes that come up on your phone on a special security token. With 2FA, just stealing your email password isn’t enough on its own.
- Have a two-person process for important transactions. Paying large invoices and changing remittance advice shouldn’t be too easy. Require separate approval from a supervisor, so you always get a second opinion when large sums are at stake.
Read entire article at the following link: