Spammers send billions of messages every day. These are mostly annoying but harmless ads. However, every now and then a malicious file is attached to such messages.
To trick the recipient into opening a dangerous file, the scammer usually describes it as something interesting, useful or important: a work-related document, a great deal, or a gift card with a popular company logo .
The people who send malicious programs have their favorite file formats. Today we will check which ones they used most this year.
- ZIP and RAR archives
Cyber criminals love to hide malicious programs in archives. For example, zip files titled Love_You0891 (the number could be anything) were used to distribute GandCrab ransomware on Valentine’s Eve. A few weeks later, other scammers were sending archives containing the Qbot Trojan , which specializes in data theft.
This year, we also learned about an interesting feature of WinRAR. It turned out that when creating an archive, you can set unpacking rules so that the content goes to the system folder. Once the contents were in the Windows startup folder, the malicious program would launch at the next system startup. Therefore, we have recommended WinRAR users to immediately install the patch update for this vulnerability .
- Microsoft Office documents
Microsoft Office files are also popular with cybercriminals, especially Word documents (DOC, DOCX), Excel spreadsheets (XLS, XLSX, XLSM), presentations and templates. These files can contain macros – small programs that run within a file. Cyber criminals use macros as scripts to download malicious programs.
Most often, such attachments are sent to office workers. These come in the form of contracts, receipts, tax notices and urgent messages from senior management. For example, a banking Trojan called Ursnif attacked users in Italy under the guise of a payment notification. If the victim opened the file and agreed to enable macros (which were disabled by default for security reasons), a Trojan was downloaded to the computer.
- PDF files
Moreover, cybercriminals like to hide phishing links in PDF documents. For example, in one spam campaign, they encouraged users to visit a „secure” page where they were asked to log into their American Express account. Of course, it is not difficult to guess that the login details fell directly into the hands of fraudsters.
- ISO and IMG disk images
Compared to the previous attachment types, ISO and IMG files are not used very often. However, cybercriminals have been paying increasing attention to them for some time. Such files – disk images – are a virtual copy of a CD, DVD, or other disk.
The attackers used a disk image to place the Agent Tesla Trojan malicious Trojan on the victim’s computer, the task of which was to steal login credentials. There was a malicious executable inside the image that activated and installed spyware on the device. Interestingly, in some cases, cybercriminals used two attachments (ISO and DOC), apparently in case something went wrong.
How to deal with potentially unsafe attachments
It may not be a very good idea to direct all messages containing the archive or DOCX / PDF file to the spam folder. Instead of trying to outsmart spammers, try to remember a few basic rules:
- Do not open suspicious emails from unknown addresses. If you don’t know why a message with this title ended up in your inbox, it most likely isn’t useful to you.
- If your work involves correspondence with strangers, double-check the sender’s address and the name of the attachment. If something seems suspicious to you, do not open it.
- Do not allow macros to run on documents that come in your e-mail unless you are absolutely sure they are safe.
- Treat any links in files with care. If you have no reason to click on a link, please opt out. However, if you must click on a link, manually enter the website address in your browser.
- Use a reliable security solution that will warn you about dangerous files and block them, as well as prevent the opening of suspicious sites.