In recent days we have seen a very interesting and unusual phishing campaign that has a great chance of success.
December 18, 2019
Over the past few days, messages from a new targeted spam campaign have begun to appear in our email antispam filters. Crooks are trying to increase their chances of success in an interesting way. The used principle gives it a fairly good chance. Therefore, representatives of companies should be especially careful.
This is a spear phishing campaign, a kind of targeted fishing. This type of attack is not a blanket hit by as many victims as possible, but is targeted very accurately. This is also the reason why these events tend to be smaller and more inconspicuous, but the individual damage may be much worse.
The current campaign is characterized by the victim receiving an email from their real business partner. It is also a response to the original real victim's mail. So at first glance everything seems to be very legitimate.
However, the attacker had previously stolen a real mail with all the essentials from the business partner's mailbox. Crook generates a reply to it from its own mailbox, in which it issues an invoice or sends an order. The message is, of course, false, but an inattentive victim can easily consider it to be genuine and open the attachment.
Mail looks like a very simple call to action:
Sehr geehrter Kunde,
wann werden Sie an dem diesem dokument weiterarbeiten und fertigstellen? Seit Montagnachmittag konnte ich keine Fortführung erkennen.
(URL)
Für weitere Infos verbleiben wir gerne zur Verfügung.
Viele Grüße
The campaign can be very successful because the victim receives a response to an email that has been actually written and sent in the past. Moreover, it is from the right and well known source. Therefore, the recipient has no reason to suspect the information and opens the attachment.
In addition, current anti-viruses have so far [failed to identify] (https://www.virustotal.com/gui/file/e3bcf16048358061a282a4a6b4702415a4b98552db8a18c4fac559d23aa95a07/detection) the payload, so there's a high chance of getting infected.