Akankasha Dewan 29 April 2020 18:21:25 AEST 4 MIN READ

Email containing an “updated statement of account” delivers malicious payload

A new email scam has been intercepted by MailGuard, this time masquerading as an email containing an “updated statement of account”.

Titled “Payment Confirmation”, the email uses a display name of “Ken Moore”. It actually originates from a single compromised email address created ad-hoc for this scam. The recipient’s email address is included in the “To:” field.

The body of the email is addressed to “Dear Supplier” and informs the recipient to forward an included “statement of account to ensure your payment are processed in timely manner henceforth”. A link to a .xls file is included, titled “Payment Confirmation 28th April 2020”. In case of any issues, recipients are advised to contact AP Helpdesk at an email address using a domain belonging to hydrobotic.com. The email ends with a signature from Ken Moore, including his designation and a link to his company website, which also appears to be hosted on hydrobotic.com.

Here is a screenshot of the email:

VBSScam_Social

Unsuspecting recipients who click on the link to view the statement are led to a download page hosted on Google drive. The page in itself is blank, with a window displayed, informing users that no preview of the file is available. A button is included to download the file instead, as per the below screenshots.

VBSScam_2904_1

VBSScam_2904_2

Clicking the button leads to another window, asking users to save a .VBS file, as per the below. This is a malicious payload that, once downloaded, is designed to infect systems.

VBSScam_2904_3

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

As you can see from the screenshots above, cybercriminals have employed multiple elements to trick recipients. Here are some of them:

  • The use of an email subject like “Payment Confirmation”, along with the date the email was sent. This creates intrigue among recipients, who may be curious enough to click on the link in the email without pausing to check for its validity.
  • Interestingly, Ken Moore’s signature indicates he is from Hydrobotics.com and accordingly, the domain used in his email address is "hdrobotlc.com" – a sneakily similar domain designed by cybercriminals to trick distracted recipients into thinking that the email is actually from someone in the organisation.
  • The detailed signature of the supposed sender, Ken Moore, indicates he is from the accounting department. This also helps to boost the credibility of the email as it is likely for payment statements to be sent from someone from the accounting department, thereby not raising any alarm bells.

Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the .XLS file mentioned in the email opens a .VBS file.

Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

Don't get scammed

If your company’s email accounts aren’t protected, emails like the one above are almost certainly being received by your staff. Cybercriminals know people can be tricked; that’s why they send out millions of scam messages and put so much effort into making them look convincing.

People are not machines; we're all capable of making bad judgement calls. Without email filtering protecting your business, it’s just a matter of time before someone in your organisation has a momentary lapse of judgement and clicks on the wrong thing.

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates