Skip to main content

Watch Out For Invoice Emails That Include Encrypted Docs

By May 9, 2017March 1st, 2023Cybersecurity

Hackers have once again pushed the envelope. They’ve again come up with a new way to infect target computers and get around whatever detection software is in place. The latest twist is sending encrypted Word files to your employees.

These files are accompanied by an email, describing the attachment as an invoice for some service your company has supposedly paid for. The instructions in the email helpfully include a password that can be used to open the file.

If a user double clicks the attachment, sure enough, they’re presented with a password prompt. Typing in the password brings up a word document that contains several other embedded docs.

If the user clicks on any of the embedded documents, they’ll be prompted to run a VBScript, and if they click “yes” to do so instead of opening the expected Word file, what actually happens is that the keylogger Ursnif is installed.

This keylogger not only logs all of the user’s keystrokes from that point on and stores them in an archive file, but also includes notes on any applications that are opened and copies of any files that are created. In addition, it makes copies of anything placed on the user’s clipboard.

The archive files created by the malware are then periodically shipped, via TOR, to the hackers for review.

It’s an amazingly effective solution, and it works because when a Word file is password protected, it becomes encrypted, which makes it harder for most antivirus software to detect any malware it might contain. It also relies heavily on social engineering, because after all, you’ve got diligent employees who want to do a good job, and will want to promptly pay their invoices. This is the key that gets a surprising percentage of them to open the poisoned files in the first place.

As ever, education is the order of the day here, and by far the best method of minimizing the impact of such an attack on your organization. Now would be a good time to remind all employees never to open attachments sent to them via unknown parties, and even if the sender is known, a great second step is to pick up the phone and call for verification.
Such steps can save you a lot of grief, and a lot of money.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.