Cybersecurity Threat Advisory 0031-19: New Spam Campaign Redirects Attachments to Malicious Websites
What is the threat?
A new spam campaign has been discovered: These spam emails will have subject lines of “Delivery [number]”, such as “Delivery 0802” (which may appear to be from a legitimate package tracking service, vendor, or online shop) and will state an invoice for a recent purchase is attached. The attachment appears to be safe, but redirects users to malicious websites once opened in an Internet browser like Internet Explorer, Firefox, or Safari.
Why is this noteworthy?
Since the attachment is an HTML page that does not itself contain any malicious code; most email hygiene and endpoint protection/anti-malware systems will not flag the email or the attachment as dangerous. The HTML document uses a method of directing the browser – called “DNS TXT record” – to redirect the user to one of several different (malicious) web pages. All the emails observed in this campaign have come from IP addresses previously used by the Necurs botnet, which is known to distribute malicious spam campaigns.
What is the exposure or risk?
The Necurs botnet has been shown to distribute everything from spambots to ransomware, meaning that these email campaigns may be used to deliver various forms of malware. Users who open the attachment can find their endpoints infected with malware, leading to a variety of unwanted and/or destructive behaviors. Receiving the email is not dangerous, however opening the attachment will lead to a malicious web page which may attempt to download or directly install malicious software.
What can you do?
SKOUT always recommends basic email safety, including not opening attachments without independently verifying the content was received from a legitimate sender, and exactly what is contained in the attachment.
Sender verification includes:
-Contacting the organization and/or sender in question through its address or telephone number before interacting with or responding to any email.
-If you are not expecting correspondence from that sender and cannot verify authenticity, delete the email without opening it. Do not click on any links or attachments in the email.
-Enable the use of advanced endpoint protection to block malicious threats.
SKOUT also recommends deploying our Email Protection as a service. SKOUT Email Protection combines multiple scanning techniques to immediately spot phishing, fraud, spam, brand impersonation, and malicious or unwanted emails. With Email Protection, you get visual classification of all your email:
· External – email is not malicious or spam. (Grey)
· Caution – email may be a phishing attempt, spam, or other malicious behavior. Reasons for warning are clearly displayed. (Yellow)
· Danger – email is malicious, spam or other dangerous email. Users should not interact with this email and it is automatically moved to the junk or spam folder. (Red)
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center
Find Trouble Before Trouble Finds You