Thanksgiving is now the most popular festive season right before the Christmas holidays begin.
Thanks to Black Friday and Cyber Monday deals, people are more interested in it than ever, which paved the way for an old problem, the Emotet malware, to emerge again this year.
Just before Thanksgiving two weeks ago, the malware was sent out in email form, disguising itself as a season’s greetings message.
It went as far as to imitate major U.S. financial institutions in a bid to gain the trust of unsuspecting users.
With digital sales and activities increasing at unprecedented rates, criminals now rely more on online shopping to rob people of their identity, sensitive information and their money.
The Emotet malware was one such attempt which was seen in mid-2018, but it went out of trace in the month of October this year, only to return again a month later.
A Phishing Attack Back in New Form
The original Emotet malware has been improvised within a short period and it now has 16KB of body content with a new plugin which is capable of implementing a stronger phishing attack than it did in the past.
The issue was first spotted by Cofense, a firm that specializes in providing companies and individuals with the tools to defend against such phishing attacks.
While the team was scouting for cyberattacks during the holidays, they spotted Emotet which was distributed in the name of a trusted brand, such that people will be convinced to click and open the files.
Such a level of legitimacy was created with the help of ProofPoint, a URL defense service which automatically scans links if you have it activated and will find what kind of links are embedded in an email.
It is designed to help users safeguard themselves from clicking the wrong links.
The malware creators further made it look legitimate by adding a feature where users would be able to hover their mouse over and see the actual link.
Security experts predict that such a deception was created and the hackers were able to use ProofPoint by using an email scraping module from a user whose account was already compromised.
The Contents of the Emotet Email
The security professionals at Cofense revealed how it all actually worked together.
All these emails were embedded with a word document which also included a macro code capable of auto-execution when the user downloads the file.
As soon as it is activated, Emotet will be triggered by activating the code, and none of these actions will come to the attention of the user.
The code has been identified as IcedID, a notorious banking Trojan known to security researchers.
It has been meticulously embedded into Emotet and when backed up by the email scraping module, the malware became much stronger as new recipients downloaded the code.
Over 20,000 credentials were used by botnet clients in order to successfully execute this phishing attack which reached millions of people within a short period of time. All these messages were related to the financial institution encouraging users to make a payment and download the file.
Personalized Thanksgiving Message to Lure Victims
The latest Emotet campaign which emerged before Thanksgiving by sending fake messages from financial institutions didn’t stop there.
The attack further continued as they sent at least 27,000 email messages within 10 hours to unsuspecting victims.
The database was quite extensive because many of these emails had the recipient’s name mentioned in it along with a Thanksgiving greeting.
Such personalized phishing attacks often reap better results and if people clicked on the .doc file, they would be downloading an XML file which could activate the Emotet malware.
Actual Impact of the Attack
There is no clear evidence whether the Emotet malware triggered during Thanksgiving Day was a success.
With no reports emerging online, security experts from different firms could only predict that it could have affected a lot of people, and many of them may not even be aware of it.
The only way to safeguard yourself is by running a complete malware check so that any unidentified and unauthorized files can be removed from the system.
Emotet has become much more sophisticated by using personalized messages apart from the conventional method of disguising as financial institutions.
Besides, the hackers’ strategy involving macros seems to be much more dangerous than before and it is unclear whether the downloaded file will trigger a script or a program.