Cybersecurity experts say cybercriminals are spreading malware through email spam that alleges interference in the recent U.S. election.
Cybersecurity vendor Malwarebytes Labs reports the spammers are sending out emails with attachments containing QBot, a decade-old banking Trojan that collects browsing data and steals banking and financial information from victims.
“At the core of the malware attacks we witness each day are typical social engineering schemes,” Malwarebytes wrote. “World events such as the COVID pandemic or the U.S. elections provide ideal material to craft effective schemes resulting in high infection ratios.”
The malicious emails typically are disguised as replies to existing threads and contain a zipped file that appears to be a DocuSign file but is an Excel spreadsheet containing malware, the company said.
In addition to infecting the victim who downloaded the attachment in the spam email, QBot can also hijack the victim’s email threads and infect others, said Ragnar Sigurdsson, CEO and co-founder of AwareGO, a security training firm. As the malware spreads through email threads, recipients are “tricked into thinking that a legitimate conversation is being continued.”
Criminals use controversial events such as the U.S. election to prey on victims eager to reinforce their beliefs, other cybersecurity experts said.
“We are more inclined to open emails and click on links in them if they promise us information that could be valuable or important to us,” Sigurdsson told the Washington Examiner. “The stakes are high with the U.S. elections and their results; people are desperate for news no matter how they voted.”
The potential good news is that this scheme is limited in scope, said Kacey Clark, a threat researcher at digital risk firm Digital Shadows.
“This campaign maintains geopolitical parameters, limiting potential targets,” Clark told the Washington Examiner. “In contrast, COVID-19 affected worldwide populations, and phishing campaigns that leveraged COVID-19-themed lures carried a much wider target audience.”
As the election gets resolved, criminals will move on to other schemes, Clark added. “The United States presidential election is a heavy-hitting topic right now; however, cybercriminals will likely exploit the next large-scale event, such as Brexit, for example, while conducting future campaigns,” she said.
Nevertheless, computer users should be careful with emails related to world events, cybersecurity experts said. “The best way to stay safe is to trust no email, ever,” Sigurdsson said. “Always be suspicious. Even if it comes from a known sender and is a part of an ongoing email conversation.”
Avoid clicking on links or attachments in these emails, he added.
Especially with emails about current events, recipients should double-check the sender’s identity, added Chloe Messdaghi, vice president of strategy at Point3 Security.
“It’s so important for everyone to double-check every little detail, beginning with the sender’s details. It’s so easily done,” she said.
Some popular email environments show the sender’s actual address automatically. Others allow recipients to check by clicking on the sender’s name. “This simple step sounds obvious to those in the know, but it’s amazing how many either don’t know or don’t take this important first step,” she said. “Unfortunately, this clever approach first appears disguised as a response to an ongoing chain, which helps establish trust by fooling recipients into believing they’ve talked with the sender before.”
Recipients should click on the “from” field before opening these kinds of emails, she suggested.
If an email says “hi” or dives into the topic without using the recipient’s name, that should raise suspicions, she added. Emails with purported DocuSign attachments are sketchy right now, and “any link that takes you to an Excel sheet is not legit.”
