LinkedIn users in Europe should be extra careful, as a highly personalized malicious campaign has been started. The campaign’s payload is banking malware. Specific people have received tailored malicious emails in different languages. The users’ credentials that were offered for sale on the black market have apparently been put to use by cyber criminals.
Read More: LinkedIn’s Data Breach Is a Breach in Trust
Post-Breach Phishing Emails Speading the Zeus Panda Banking Trojan
The German federal CERT released an alert a couple of days ago about tailored phishing emails aimed at European users of LinkedIn. It’s obvious that cyber crooks have used data from the recently leaked LinkedIn data set. The phishing email addresses are quite specific, containing full name, company name and job title of the targeted person. The attachments in the emails pretend to be invoices but instead are spreading malware.
Security vendor Fox-IT has also confirmed the post-breach phishing campaign. The company has provided an example in Dutch:
Geachte Firstname Lastname,
Wij schrijven u in verband met de factuur met nummer 014321463.
De nota staat open sinds 9-jun-16. Het openstaande bedrag is 2,487.50 Euro.
Vriendelijk verzoeken wij u het openstaande bedrag te betalen.
Betaling graag zo spoedig mogelijk.
Met vriendelijke groet,
A.E. De Kuiper,
BEEREJAN HOLDING BV.
Faisantenstraat 53 Hilversum 1211 PT
The phishing emails are spreading Word documents with macros. The content of the email is an attempt to make the recipient enable the macros. If enabled, a malicious binary from a website will be retrieved, and the Zeus Panda banking Trojan will be downloaded onto the victim’s computer.
Read More: Panda Banker Spread via Macros in Word
Considering the scope of recent mega data breaches, post-breach phishing campaigns are highly likely to continue happening. Users shouldn’t open random and unexpected emails, especially such containing attachments.
Besides spreading malware, cyber crooks are also trying other approaches – like threatening users whose credentials have been leaked to release intimidating personal information, something we called post-breach extortion.
How to Stay Away from Macro Malware
For obvious security-related concerns, macros are usually disabled by Microsoft by default. However, cyber criminals know that and always find ways to make potential victims enable macros and subsequently get infected.
In short, to stay safe against macro malware and its various payloads, follow these steps:
- Disable macros in Microsoft Office applications.The very first thing to do is check if macros are disabled in Microsoft office. For more information, visit Microsoft Office’s official page. Keep in mind that if you are an enterprise user, the system administrator is the one who is in charge of the macro default settings.
- Don’t open suspicious emails. Simple as that. If you receive an unexpected email from an unknown sender – like an invoice – don’t open it before making sure it is legitimate. Spam is the primary way of distributing macro malware.
- Employ anti-spam measures. Use anti-spam software, spam filters, aimed at examining incoming email. Such software isolates spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.
And don’t forget to keep your anti-malware program updated and running at all times!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter