Chances are you’re expecting at least one package to be delivered to your home before Christmas. And even if you didn’t order something, receiving a notice that someone tried to deliver a package — a gift perhaps? — to your door probably wouldn’t surprise you.
But if you receive that notice via email, do not click on it.
Our friends at Proofpoint have discovered instances of Zeus Panda banking trojan campaigns that use packages as lures targeting Canadian companies:
For example, on November 13, we observed malicious emails with the subject “Your package is ready to be picked up” containing URLs linking to Microsoft Word documents such as “receipt-package-5a0a062cae04a.doc”. The documents used macros to download Zeus Panda.
F-Secure Labs has spotted a similar campaign spreading the TrickBot banking trojan with subject lines such as “Your Payment – 1234”. But given the holiday season, let’s focus on the gift package lure for now.
If you click on the links in one of these emails, you’ll be sent to a landing page that triggers the download of a Microsoft Word document.
Hit the “Enable Content” button and you’re infected.
F-Secure Labs reported earlier this year that the trust that customers have for their favorite retailers is often exploited by spammers. Criminals can rightly assume that you likely have a package coming from USPS, Amazon or FedEx because we almost always do. Especially now.
What’s interesting to Sean Sullivan, Security Advisor at F-Secure, is the use of the Zeus Panda banking trojan, which was first spotted by our Labs in March of 2016.
Unlike their fellow trojans ransomware, banking trojans will not make themselves immediately known after infection to demand a payment. Instead, they stealthily scan your PC for credit card numbers or documents that could used for espionage or extortion.
“This is probably about scraping credit card numbers to use to purchase items sell items through ecommerce using fraud,” Sean told me.
Banking trojans can be a bonanza for criminals when they infect a machine ripe with private financial data like, say, the a point-of-sale computer at a local flower shop, Sean explained. But using stolen credit card numbers is increasingly difficult as credit card companies have improved their anti-fraud algorithms. Monetizing this information may require multi-step operations that involve selling an item on a third party site and then using the card to purchase it and have it sent to the buyer’s address, leaving law enforcement unable to easily track the culprit down.
Demanding a ransom via malware is much more direct and effective, which is why ransomware has become so pervasive — even if Bitcoin can be hard to spend. But the emergence of banking trojans in the spam campaign suggests criminals may be taking up new strategies.
“It could be that criminals are going back to old business models,” Sean said. “Or they could be adding a layer to do a little assessment to discover if they found a machine particularly worth ransoming.”
Once infected by Zeus Panda, your machine could served up crypto-ransomware any time. Or in the current landscape, F-Secure Labs thinks it’s likely we’ll see the emergence spam spreading crypto-miners for various alt-coins like Monero that have been designed to run stealthily on your PC.
“You’ll think ‘Hey, my computer slow!’ but you won’t know why,” Sean said.
Or, perhaps, criminals are veering away from ransomware for a pretty obvious reason — Bitcoin, the payment method most common to ransomware scams, is in the middle of a wild boom that has seen gains and losses of thousands of dollars in just a day or hours.
“If you’re trying to extort people when you’re dealing with skyrocketing ‘currency,’ you need to do it one-by-one or you need some wild automation in a portal that gets you near the conversion rate.” Sean said. “How do you build a business on top of that?”
And it’s not just Bitcoin. Ethereum and other “crypto-currencies” — which Sean points out are neither “crypto” or “currencies” (they’re not really about encryption and they’re more like a commodity) — are shooting up as well.
F-Secure Labs research has found that customer service is a key part of the ransomware business model. How do you tell a customer what they owe when the price varies by the hour?
Or maybe the ransomware business is drying up a bit and criminals have to do more work to get big returns.
“Businesses are fat targets but businesses are also more likely to have backups,” Sean said. “You may need a longer play to aim at targeting a business specifically by stealing documents that could be used to extort them.”
Regardless of what the criminals are up to, you need to be on guard against shipping notices you don’t expect — especially from Tuesday afternoon to Wednesday morning, the times our Labs have found spammers to be the busiest.
Go directly to your retailer or shipper if you’re worried about a package. And if you get an expected notice, never click on any links or attachments in the email. Make sure you’re running an updated internet security solution like F-Secure TOTAL that blocks Zeus Panda. And never take the step of inviting a trojan into your life by clicking on the “Enable Content” button, any time of year.