Western Union Spam
We already block vbs attachments for our customers, as should everyone, but we sometimes like to dig a little deeper to see if we can uncover additional useful information.
One of our threat analysts was curious about an email with a particular vbs (VB Script) attachment. The email instructs the recipient to update their Western Union credentials by executing the attached vbs file. Not surprisingly, that's a bad idea. Doing so will install the Cryptowall trojan.
The subject line of the email is:
CONFIDENTIAL - Your New Western Union Credentials 8 April 2015
The message body (partially redacted) is:
How It Slips Past Antivirus
The vbs file attached to the email is small but dangerous. If executed, it downloads and opens a Word doc file with a similar name that contains VBA macros. The VBA code then downloads an exe file (again, with a similar name), which appears to be a variant of Cryptowall.
VB Script is built into Windows and its use is widespread. Although recent versions of Outlook block vbs attachments from running by default, this one is easy to execute accidentally.
To get instantaneous updates on the latest email spam, follow us on Twitter @SpamStopsHere
Your antivirus system might not recognize the threat because the vbs file (the file you would most likely scan) does not directly point to or download Cryptowall. As of yesterday, only 6/56 antivirus vendors detected the vbs file as malicious and only 8/56 detected the doc file it downloads.
This is an ongoing problem for traditional antivirus vendors They are less and less able to detect zero-day threats because they only scan the downloaded file. Cloud antispam analyzes the entire delivery mechanism and global traffic patterns for spammy behavior, which we have learned how to detect almost instantly.
We've discussed this issue before, that antivirus programs can't keep up with today's quickly changing email threats.
SpamStopsHere is updated every two minutes, 24/7/365. Because it works in the Cloud, spam filtering updates take effect immediately without the user downloading or installing anything.
If you're having trouble keeping up with these threats, consider trying SpamStopsHere FREE for 30 days. It blocks 99.5% of spam with a false positive rate of less than 0.001%. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.
Marks used in this article are the properties of their respective owners. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.