Notorious Emotet malware uses fake Windows update notifications to trick victims.
The brains behind one of the most notorious malware families in the world are taking new approaches to deceive potential victims. A new phishing campaign with a fake Windows Update alert is used to compromise victims’ systems.
The fraudulent emails do not mention anything about an upcoming update in the subject of the email or in the content itself. They follow the lead of phishing emails described in “Cybercriminal Manuals,” which borrow heavily from current issues such as COVID-19 or the tried-and-true classics such as fake shipping notifications, invoices, or job applications.
It is only when the attachments are opened that a fake update notification is foisted on the prospective victim. The following image was provided by Bleeping Computer Team and shows in detail how the new attack looks like.
The reason for the novel Windows update method can be found in the yellow bar that appears when attachments are opened. This is because the Office family products have built-in security mechanisms to protect the user from harmful mail attachments. The “Protected View” warning shown in the picture is one of these mechanisms. In this case, the warning is clear: the attached files and documents may contain viruses. However, an infection of the system has not yet occurred at this point. In fact, infection with “Emotet” does not occur until “Protected View” is manually turned off and switched to write mode. The hackers achieve this via social engineering. The goal here is to make the file look so credible that unsuspecting victims press the “Enable Editing” button. As is often the case with such fraudulent emails, a critical eye and rereading can already ensure that the fraud is detected. Besides spelling mistakes – it should be “upgraded” and not “upgrade” – it will never happen that Microsoft notifies users about Office upgrades. Only a message in the program itself normally informs about available updates.
The first step in the fight against this type of malware is therefore to remain vigilant and learn to recognize dangers. Small differences in design or wording make the difference between harmless updates and dangerous malware.