Fake Western Union Email Attachment Installs Cryptowall

We're blocking a fake Western Union email spam campaign with a vbs (VB Script) attachment that installs the dangerous Cryptowall trojan malware. This email does NOT come from Western Union. In case one of these gets past your antispam or antivirus system, do not preview or open the email and do not download or run the attached vbs file.

Get instantaneous updates on the latest email spam. Follow us on Twitter @SpamStopsHere

Western Union Spam

We already block vbs attachments for our customers, as should everyone, but we sometimes like to dig a little deeper to see if we can uncover additional useful information.

One of our threat analysts was curious about an email with a particular vbs (VB Script) attachment. The email instructs the recipient to update their Western Union credentials by executing the attached vbs file. Not surprisingly, that's a bad idea. Doing so will install the Cryptowall trojan.

The subject line of the email is:

     CONFIDENTIAL - Your New Western Union Credentials 8 April 2015

The message body (partially redacted) is:

Please see your Western Union Translink Credentials attached. You need to download and access the file attached to this e-mail called Credentials.vbs Your Credentials will be automatically updated upon accessing the file. Your machine might ask you to allow the file to run so please do allow it. For CONFIDENTIAL reasons PLEASE ONLY do this from your Western Union Computer. If you have received this e-mail by error and you are not the person in charge with the Western Union system. Please forward this e-mail to the person in charge with the Western Union Translink System. You will need Microsoft Office to open the file. This update is mandatory. Shall you have any questions please speak to me directly at 800-xxx-xxxx ext #xxx <name redacted> - Head of Operations & Technology - Western Union Western Union Senior Executive <redacted>@westernunion.com 800-xx-xxxx ext #xxx id=<redacted>

How It Slips Past Antivirus

The vbs file attached to the email is small but dangerous. If executed, it downloads and opens a Word doc file with a similar name that contains VBA macros. The VBA code then downloads an exe file (again, with a similar name), which appears to be a variant of Cryptowall.

Western Union Spam

Fake Western Union email vbs attachment installs Cryptowall trojan

VB Script is built into Windows and its use is widespread. Although recent versions of Outlook block vbs attachments from running by default, this one is easy to execute accidentally.

To get instantaneous updates on the latest email spam, follow us on Twitter @SpamStopsHere

Your antivirus system might not recognize the threat because the vbs file (the file you would most likely scan) does not directly point to or download Cryptowall. As of yesterday, only 6/56 antivirus vendors detected the vbs file as malicious and only 8/56 detected the doc file it downloads.

This is an ongoing problem for traditional antivirus vendors They are less and less able to detect zero-day threats because they only scan the downloaded file. Cloud antispam analyzes the entire delivery mechanism and global traffic patterns for spammy behavior, which we have learned how to detect almost instantly.

We've discussed this issue before, that antivirus programs can't keep up with today's quickly changing email threats.


SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.

If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam with a false positive rate of less than 0.001%. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.

Click here for more about SpamStopsHere and our 24/7/365 live support

Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.