One of the basic rules of prevention of cyber-attacks for all companies is to raise awareness and train users to “not accept gifts” received through emails. But what happens when the sender is known or when you receive a message with attached documents following a thread in which you have participated?
There has been several cases where the attacker takes advantage of a trusted email account. Through trusted email account, attacker attaches malicious Microsoft Office documents.
Using and abusing trustworthy sender accounts is a common practice that generates trust in the recipient who frequently opens the email and agrees to download the attached file or forward it with replies and comments, spreading the attack.
Microsoft office files are vulnerable. Almost always request the execution of macros (usual message to enable content that appears in the document access screen), to download the built-in malware.
The macros contain hidden files that execute several layers added to finally download an executable binary file from a remote website, which contains a malware, which will be responsible for causing the damage for which it was designed. In most cases, the objective is to steal confidential information from the recipient.
But there is still more, once the malware has been introduced into the recipient’s computer, it can be used to spread the evil to third parties and commit the same damage.
But there is still more, once the malware has been introduced into the recipient’s computer, it can be used to spread the evil to third parties and commit the same damage.
And finally, camouflaging the script of the download embedded in the Microsoft document, they can evade physical security elements which will let the mail pass because it is a trusted sender.
Let’s give an example, last month I received an email from xxxxxxx@applestrore.apple.store . The message had as an attachment a Word document and in the body it said verbatim:
We inform you that your order number 88908989 made through AppleStore is on the way.
To verify the delivery please click here.
To confirm the details of the payment, download the attached document.
Thanks for the confidence.
The Apple team.
If I would have click it, the next thing would surely have made me burst into tears… Immediately in milliseconds I made a decision: I told myself that I would resist opening the message, although I was still tempted. It was impossible to receive a message from Apple because I have never been a client of yours. I have not bought anything in the last days, months or years and therefore the message was not known to me no matter how hard Apple tries to write me.
The second reflection was that my email address was not public and therefore, I never use it to make purchases through the internet.
The curiosity to know where it would take me if I clicked here or if I opened the attached Word, surpassed me. But still, delete the message, I sent it to the trash and emptied the trash.
I spent a long time thinking about what the objective would be and I thought that it was best to explain it.
Two days later I received the same message saying that since I had not opened the previous one, in the case of not validating the delivery and the payment data of the purchase made, I would lose the material, the purchase and all the stars of the universe would fall on me .
Using social engineering, the attacker gets even closer to the user who, in many cases due to lack of reflection, curiosity, overconfidence, opens the message.
Taking into account the scenario described, regulate and protect access to non-corporate tools in the company, should be one of the security measures of all organizations, without a doubt, while the attackers use these tools to try to obtain confidential information and while there are users who continue to open this type of mail.
