Fake email attachment contains malware
Another fake email, this one containing malware (disguised via a zip attachment), started hitting our email filters this week. The email targets Westpac customers. The attachment looks innocent enough but does contain ransomware in the form of a new version of CryptoLocker. This phishing campaign appears to be at a lower level of intensity compared to other phishing campaigns, but that doesn’t mean it is any less dangerous.
Figure A shows the email. It is not particularly sophisticated. There are no Westpac logos present in the email. There is no greeting. The subject line of the email reads “Dear Westpac Customer”. The sender of the email simply reads “Support”. A copyright notice is fixed to the bottom of the email. The attachment to the email is called “Westpac-Limited-Account-Form” and appears as a zip file. The email encourages the user to open the attachment.
Ostensibly, the reason for the email is attempted fraud attempts. The email goes on to list three invalid login attempts, supposedly from various IP addresses. The three invalid login attempts are given as justification for locking of the user account. This type of email, that encourages the user to download attachments and open them, is a favourite among the ransomware brigade. The use of .zip attachments allows criminals to conceal malicious software such as CryptoLocker.
CryptoLocker has undergone various iterations, but still performs many of the same actions. When installed, it will encrypt picture files and Office documents. It will search through local and network drives for such documents. It has undergone surges over the last 12 months, at one point causing ABC News 24 to go offline for 30 minutes.
This email does tend to give itself away, via the lack of a personalised greeting. Emails from banks will always address you by name. If you do receive an email with an attachment, do not download it and do not open it. Check first of all whether it is legitimate. If you receive the email we have detailed here, delete it.