E-mails with malware in the name of debt collection agencies and health insurance companies

Languages

Service navigation

Search

Navigation

E-mails with malware in the name of debt collection agencies and health insurance companies

02.12.2024 - The NCSC is currently receiving numerous reports of e-mails that claim to come from a debt collection agency or a health insurance company. They concern an alleged claim or reminder. Do not click on the link, as this is an attempt to distribute malware to Windows users.

Melden Sie Schwachstellen

At present, alleged invoices or reminders are being sent out in the name of the debt collection company Intrum, but also in the name of various health insurance companies. The e-mail asks the recipient to click on a link to view or save the open invoices as a PDF file. The subject lines (in German) of the emails are for example as follows:

  • "Sie haben neue Dokumente von der KPT. (2. Mahnung)"
  • "Offene Forderung: Intrum AG 28936038"
Fraudulent e-mails on behalf of health insurance companies and the debt collection agency Intrum, which tempt the recipient to click on the link and save an outstanding invoice as a PDF file.
Fraudulent e-mails on behalf of health insurance companies and the debt collection agency Intrum, which tempt the recipient to click on the link and save an outstanding invoice as a PDF file.

The attackers' aim is to trick the victim into downloading malware. The malware in question is the well-known “Lumma Stealer” malware. Only Windows users are affected. Smartphones with Android or iOS and computers with other operating systems are not affected in this case.

Screenshot des angeblichen Erstattungsantrags
Example of websites that prompt you to view the document. In reality, however, malware is downloaded
Example of websites that prompt you to view the document. In reality, however, malware is downloaded

The link is a so-called WebDAV link. The following activities are triggered (simplified):

  • An initial stage of malware is loaded in the background;
  • This loads further components and executes them on the device;
  • A PDF document with a supposed invoice is displayed in the foreground.

"Lumma" is a so-called "malware-as-a-service (MaaS)" business model, in which cybercriminals provide malware and the associated infrastructure in return for payment, enabling even less experienced attackers to carry out complex cyberattacks.

The "Lumma" malware is designed to steal sensitive data such as passwords, browser information and details of cryptocurrency wallets. ‘Lumma Stealer’ was already noticed by the NCSC a month ago. At that time, the attackers used the CAPTCHA verification process to trick victims into installing malware. The NCSC has written a weekly review about this:
Weekly 45

Technical indicators for this incident are available via the following link:
https://github.com/govcert-ch/CTI/tree/main/20241202_LummaStealer

Recommendations:

  • Do not click on the link.
  • If you are expecting a reminder, contact the debt collection agency or health insurance company to check whether the claim is legitimate.. Use the contact details on the official websites of the companies.
  • If you suspect that malware has been installed, contact a computer specialist. It is safest to completely reinstall the computer. Don't forget to back up all your personal data beforehand. After the reinstallation, change your passwords for all online accounts (email, social networks, etc.).

Last modification 02.12.2024

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2024/2024-inkasso-kk.html