Over a decade ago, e-mail worms began perpetuating themselves in password protected ways, such as ZIP archives, with the password needed to unlock the file included in the e-mail, all as part of the scam.
“This trick has rarely been seen since then, until now,” says Lutz Blaeser, MD of Intact Security.
He cites the recent spam campaign that targeted users from an Italian bank, which used elements of phishing and attempted to steal credit card information.
“The e-mail featured an attachment, an HTML document which asked for a password when clicked on. Of course, the password was provided in the text of the e-mail itself, and was used to decode the payload containing the HTML code of the campaign.”
Should the password be entered incorrectly, the HTML code is decoded, and the phishing Web site revealed. “The threat actor behind this campaign relied on people believing that if something is protected by a password, it follows that it is legitimate. However, this is clearly not the case.”
Another example of the password being used for nefarious purposes, he says, is a similar campaign that employed malware attachments. “In this case, the cyber crooks used social engineering to trick their targets into downloading and installing malware. This is where the password comes in,” he explains.
“The attachment itself was protected by a password that again, was included in the body of the e-mail. Since password protected archives can not be scanned by anti-malware products, as this would mean automatic unpacking breaking the password protection, they bypass e-mail security gateways, even though they can be riddled with malicious code.”
The take out here, he says, is that although disguising malware in password-protected files is not new, and remains an effective way to infect users, and bypass security mechanisms.
“What is key here, is education,” says Blaeser. “Be extremely cautious when dealing with e-mails from unknown senders, or any companies with which you have no regular dealings. If an e-mail seems dodgy, ignore it or delete it. Never, ever open attachments or click on any links.”
Similarly with spam, don’t respond to these e-mails, as all you are doing is verifying your address, he says. “Also, if you notice that a contact of yours is sending strange e-mails or odd IMs, contact them to see if these are genuine, or not.”
“Finally, always make sure you have an up-to-date, comprehensive anti-malware solution installed, as well as a spam filter, firewall and suchlike.”