A user receives an e-mail informing them that a payment has been made from his account or has to pay a certain amount of money for a certain invoice, a PDF document with a payment order is attached to the e-mail, as well as information additional information about the transaction, specifying the payment approval with personal data and the account number in which the payment will be made.
Of course, this message is one sent by the attackers, designed to appear to have been legitimately sent by the bank, by copying the visual identity (font, logo, address), in order not to raise suspicions to the recipient.
The user, who is in front of this information, can be scared and can act hastily, believing that money has been stolen from his account, accessing that malicious attachment in the mail, which will automatically lead to the installation of a variant of malware. The attached attachment called a “payment order” or “due invoice” is not a document, as stated in the email, but an executable file (.exe), which will install on your devices the malware called ‘Agent Tesla’.
This type of malware attack that has the ability to record what the user types on the device, but also what text it copies to the clipboard, and this information is passed on to a command and control server (C2), handled by attackers. Basically, when the user logs in to the personal or company accounts they work for, those credentials can become in the possession of the attackers without the user knowing what happened.
- In order to avoid such situations, vigilance is recommended when using the online environment. It is important to pay extra attention because you may receive trap messages through various channels such as – email, SMS, social networking, phone calls – from people who claim to be employees of the bank or intermediaries from the bank, or of other famous institutions etc. Analyze incoming messages before clicking on the link or attached document in these online environments;
- If you receive an email or message from the bank, first check the source of the message in the mail header (as far as possible), as banks do not use emails with addresses that do not contain the bank’s name. Sometimes the real sender is hidden, the address being spoofed, but other times the attackers use an alias, the real address being easily visible when accessing the source of that email. So go to the view source button in your email or internet browser to detect the sender’s real address. You need to compare the email address you received with the official address found on the official website of the bank where you are a customer. As can be seen from the attached image, the example email came from an address with no official connection to the bank it impersonates (tapizadosblanco [@] againtrnet [.] Com)
- If you have any suspicions about the received message, check the information, including the validation of its transmission to you with the sender, or consult the official website of the bank where you are a customer.
- Use a device security solution (antivirus or antimalware) to scan for malicious links or attachments. Alternatively, you can access such a solution available for free online, such as VirusTotal.
- Keep your operating system and software up to date on your devices. Updates help prevent possible such attacks, which are necessary for the security of the devices you use.
- Back up your important files regularly and store this copy on an external medium, disconnected from your device. (Ideally, you should store backups on multiple external media).
- If you have been the victim of such an attack and you notice that money has been withdrawn from your account, it is important to contact the bank, the Police (petitii @ politiaromana [.] Ro) and / or the dedicated 1911 emergency number as soon as possible. cyber security incidents)
Why is it not advisable to pay the sums demanded by cybercriminals?
- There is no guarantee that the attacker will honor the promise and restore access to the data.
- If they pay, the victims can be targeted again by the attackers, as they build a good pay history in front of the criminals.
- Each amount of money transferred will help ransomware developers build even more complex versions and increase the scale of this phenomenon. Attackers use virtual currency (Bitcoin, Litecoin, Ethereum, etc.) and it is virtually impossible for the money to be tracked.