The holiday season is full of great deals, goodwill, and shopping sprees, but it's also crowded with people looking to exploit those three. Microsoft's Malware Protection Center is warning against a new attack disguising itself as an Amazon dispatch email. Due to the volume of Black Friday purchases, they're being met with more success.
According to a spokesperson, users are being spammed with emails which contain a ransomware exploit. Downloading the attached zip file will result in important files being encrypted and inaccessible until you pay the attacker.
Method of Attack
The file in question deploys via a JavaScript file, which uses a Nemucod malware to download Locky ransomware to your computer. Microsoft has been tracking this combination for a while and Windows Defender should detect it.
The emails are clearly fake to a practiced eye but are good enough to trick some users into clicking. A fake order number is included in the body, as is a reference to couriers, which vary depending on the individual.
They also contain legitimate links to Amazon support, including the returns policy and support centers. The wording of the emails sounds fairly legitimate, though you can spot it easily by the ‘=' signs throughout.
According to Microsoft, this is an attempt to get through spam filters and may be successful in some cases. You can tell if you've been infected by this particular version via the ransom note:
“All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting all of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key, follow one of the links:”
If you're caught out by this, there's not much you can do, so it's important to follow Microsoft's safety steps:
“For end users
- Use an up-to-date, real-time antimalware product, such as Windows Defender for Windows 10.
- Think before you click. Do not open emails from senders you don't recognize. Upload any suspicious files here: https://www.microsoft.com/en-us/security/portal/submission/submit.aspx. This campaign spoofs Amazon and the delivery companies Royal Mail, DHL, and FedEx. The attachment is a ZIP file, which may be a common attachment type, but it contains a .JS file. Be mindful of what the attachment is supposed to be (in this case, most likely a document) and the actual file type (a script).
For IT administrators
- Use Office 365 Advanced Threat Protection. It has a machine learning capability to help your network administrators block dangerous email threats. See the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
- Use Windows Defender Advanced Threat Protection to help detect, investigate, and respond to advanced and targeted attacks on your enterprise networks.
- Use the AppLocker group policy to prevent dubious software from running.”
You can find more detailed information on the TechNet blog.