Privacy & Security Public Sector Canada Revenue warning scam uses .MSG attachment Howard Solomon @HowardITWC Published: October 12th, 2016Everyone loves to hate the Canada Revenue Agency. Unfortunately, criminals apparently love the tax man — they keep finding ways of leveraging Canadians’ fear of the agency to lure them into malware.Often its fraudulent phone calls in the spring claiming to be from the agency. But recently an email campaign was detected by Trustwave, which in a blog Wednesday described how someone is using a .MSG email attachment, the format of Microsoft Outlook and Exchange message files, as the vehicle for malware. Some of this mail will likely fall into the mailboxes of enterprises.The subject line will be “Canada Revenue Agency — Notification.” The sender appears to be legit as “Canada Revenue Agency Online Mail.” Related Articles Canadians are most of the victims as banking Trojan returnsA banking botnet that was taken down nine months ago by police in several European countries earlier this year has... December 23rd, 2015 Howard Solomon @HowardITWC Canadian security pros lag in cyber threat awareness, says TrustwaveWithin the past two years a Canadian organization quietly had to pay millions of dollars in fines to credit card... March 11th, 2015 Howard Solomon @HowardITWC The first clue this is phoney is it’s email. Governments do NOTHING unsolicited by email — they love paper because it can be traced.The second clue is body of the text: It’s addressed to “Dear Taxpayer.”Lesson: Do not click on the attachment, which purports to be a case file.What’s more interesting to our readers is the analysis of the malware by Trustwave. Opening the attachment researchers found a number of files and four folders. Two of the folders have images of spoofed PDF files with spoofed file names, while the third folder has a compressed file with another OLE file. Inside that file is another compressed file with JavaScript. When it runs it downloads a malicious executable from a command server, a Trojan which injects its code into an available Windows Explorer browser, and then downloads the Zbot banking Trojan, which can intercept network traffic and steal system information, online banking credentials and passwords.“We don’t often see malicious files embedded in .MSG file attachments,” notes Trustwave. “It represents yet another technique used by cybercriminals to bypass email gateways. While extracting the malicious JavaScript object, we encountered layers of compression that would perhaps be difficult for some antivirus product to detect.”The lesson for infosec teams with organizations that use Outlook is to pass the word that employees should be wary of opening .MSG files. By default, Outlook will prompt users with a warning that some objects in the message may have a virus.Trustwave calls this hunt for the malware package going down the rabbit hole. For young threat researchers it’s a lesson on how to do it. Related Download Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now Privacy & Security, Public Sector Canadian government, security strategies, spam
