Weekly review 42

26.10.2021 -The number of reports received by the NCSC remains high. The reason is the persistence of text messages with an alleged voicemail linked to Android malware. Reports were also received about malicious Excel documents that were apparently sent by someone known to the victim and referred to a previous message. Other reports concerned a targeted request to a law firm which culminated in attempted fraud, and an instance of advance fee fraud combined with phishing.

Attackers also try to use previous messages to persuade their victim to open a document

A variant that increases the probability of the victim opening an email attachment is the connection with a previous email. The attackers gain prior access to an email account, select a suitable message and resend it to the recipient – supplemented with a link to malware. We reported on this in weekly review 20.
This week, the NCSC observed a resurgence in this kind of attack, which mainly targets SMEs, but also communal authorities. The email requests the recipient to check some documents that are behind two links. Thereafter, the attack follows the familiar path of communication theft. Behind the links are a zip file with an Excel document. The Office macro function (in this case: Excel) is used to install the malware.

  • Malicious emails can also come from apparently known senders. Be careful if previous messages are suddenly used out of context, for example.
  • Malware is often distributed through Office documents. In most cases, the macro function is exploited. Never give permission to activate the macro function.
Email referring to a previous message and containing two links to malware
Email referring to a previous message and containing two links to malware

Request from Japan – malware or fraud?

Last week, the NCSC received a report from a Swiss law firm about a suspicious contact, apparently from a Japanese company. The law firm was requested to assume the lead in legal proceedings against a Swiss company. It was also claimed that an attached PDF contained an eight-page contract with legal provisions setting out the details. Suspicions were raised because the company used a Gmail address to make contact. Sure enough, enquiries to the Japanese company – and to the correct email address listed on the company website – revealed that it had nothing to do with the apparent request.

But what exactly was going on?
An analysis of the PDF file did not uncover any irregularities. So a malware attack could be ruled out. The NCSC found the contract template on the internet. This template is freely available and contains a ready-made document; all the attackers had to do was enter the name of the contracting party. The document served to give the impression of specialist knowledge and to persuade the law firm to take on the case.

But what was the motivation behind this request?
The attackers' aim is to get the law firm to take on the case and issue a corresponding invoice. The attackers then say that they will pay by bank transfer or cheque. They send apparent copies of cheques or letter from fictitious banks, in order to convince the victim that the amount has actually been paid. The trick in these cases is that the amount transferred is higher than the amount originally agreed. Before the victim has a chance to check whether the money has actually reached their account, they are pressured to pay back the difference, either to another account or, for some spurious reason, to a fictitious service provider. Of course, it always turns out that the cheque is not honoured, or the claimed transfer does not exist. These are cases of classical overpayment fraud. The law firm recognised the fraud early and informed the NCSC.

  • Be sceptical if a company communicates via large email providers such as Gmail, Hotmail or Bluewin
  • Make enquiries about the reliability of the company that has contacted you
  • Use a contact address listed on the official company website to check whether an order is genuine

Advance fee fraud with an unexpected outcome

Emails claiming that the recipient is owed a large sum of money are sent out in their thousands. Usually, they involve an apparent inheritance from a prince, lost fortunes that are waiting to be claimed, or a lottery win. The offers and promises made in these messages are entirely made up and are intended merely to create a credible backdrop against which the scam can be perpetrated. If the recipient responds to the message for example, some excuse is made to request an advance payment. For this reason, this is known as advance fee fraud. However, what is promised does not exist.

This latest case also began with winnings of USD 10 million. Apparently, the email address had been picked out in a US lottery, and had even won first prize. In order to convince the recipient that the money existed and was genuine, the message contained a link to a page which the apparent winner could use to verify this. However, they first had to perform an authentication – using the password of the winning email account. A test run by the NCSC showed that it was possible to enter any email address and any password on the page, but that a win was never displayed; instead, users were diverted to a page of the corresponding email provider. However, by entering the password, the attackers were able to gain access to the victim's email account – a classic phishing attempt. Combinations of two well-known phenomena, such as advance fee fraud and phishing in this current case, have been observed more often recently.

  • Be sceptical if you receive emails that require action on your part and that carry a threat of consequences (loss of money, criminal charges or criminal proceedings, blocking of account or card, missed chance, misfortune) if the action is not performed.
  • Do not open any attachments or click on any links in suspicious emails.
Fake website that is supposed to show the victim's winnings once they have logged in.
Fake website that is supposed to show the victim's winnings once they have logged in.

Last modification 26.10.2021

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/wochenrueckblick_42.html