Victims’ real details helping hackers trick victims into installing banking malware

Malicious spam campaign embeds German users’ real-life addresses and personal details into poisoned emails.

David bisson
David Bisson

Victims' real details helping hackers trick victims into installing banking malware

A spam campaign targeting German users has increased its chances of successfully tricking users into installing malware, by embedding several pieces of the victim’s personal information into its poisoned email messages.

The campaign, which has been active since at least January 2017, begins when a user receives an email written entirely in German. Its message informs the recipient they’ve attempted to pay for something online but that the transaction did not complete successfully

The user must re-submit payment, the email demands, otherwise they could be penalized by a collection agency or even law enforcement.

Sign up to our free newsletter.
Security news, advice, and tips.
German spam
Sample of spam message seen targeting German users. (Source: Symantec)

Yeah, yeah, we’ve seen these types of campaigns before. Most of us know better than to fall for this type of scam, and the attackers know it. Which is why they’ve outfitted their attack emails with a technique that’s designed to convince the recipient the notice is legitimate.

Andrew Brandt, director of threat research at Symantec, elaborates on this point in a blog post:

“The key detail of each message was the fact that the recipient’s full name, mailing address, and telephone number were embedded in the middle of the message.”

Brandt doesn’t elaborate on how the attackers obtain users’ personal information. Technically, bad actors can use Google and other tools to easily find these details. But that’s besides the point. Seeing your personal information is enough to sway most users, so much so that a recipient would probably open the double-zipped attachment and thereby expose themselves to Nymaim.B.

For its command and control (C&C) server, this banking trojan uses afegesinge[dot]com. The domain has a checkered past. At one point in time, 13 other malware executables communicated with it.

Personalized spam campaign 4 recrop
C&C communication with afegesinge[dot]com. (Source: Symantec)

This type of campaign isn’t the first of its kind.

Back in April 2016, for instance, BBC News reporter Shari Vahl and ZDNet journalist Zack Whittaker separately spotted malicious emails in their inboxes that said they owed money to a collection agency, and included their real-life address information to make the messages appear more convincing.

Unlike the German campaign, however, the UK attack sought to trick users into clicking on links that led them to Maktub ransomware.

An example of the UK personalized spam campaign. (Source: ZDNet/CBS Interactive)
An example of the UK personalized spam campaign. (Source: ZDNet/CBS Interactive)

Such personalized malicious spam campaigns have Symantec’s Brandt worried:

“While this wolf in very convincing sheep’s clothing may have been a rare event, the seemingly constant stream of breaches and disclosure of personal data from public websites indicate that these kinds of attacks may become more common in the future. No matter how convincing an email seems to be, it always pays to double check these kinds of claims by calling the company purportedly making the claim to confirm the message’s authenticity (or to prove that it is false).”

Aside from confirming with the alleged sender, users should maintain an up-to-date security solution on their computers, implement software updates as soon as they become available, and delete any suspicious emails.

Remember to always be wary of opening unsolicited email attachments and clicking on unknown links. Clicking before you think could lead to your downfall.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.