Cybercriminals don’t rest: they do not stop trying new techniques or making new attempts to scam us, steal our data or, worse, steal our data to scam us. The ESET Spain blog recently recalled that Formbook, one of the most active malware variants in recent months, is now spreading thanks to a new email campaign to impersonate Spanish banking entities. We tell you how to recognize it and avoid it.
Ransomware: what it is, how it infects and how to protect yourself
Who are they impersonating?
For now, the entities detected as camouflage for this new malware campaign are the Banco Sabadell and Banco Santander. Here we show you a screenshot of the emails detected by ESET:
Of course, This same tactic is applicable to any institution Spanish or foreign, so it is possible that we could find a similar e-mail supposedly sent by a different bank.
How do they attract our attention?
The excuse to encourage us to open the attached malicious file is, in the first case, a Bank transfer receipt that encourage us to review, and a payment settlement In a second. Both, documents whose theme makes it easy for the user to try to take a look at them.
What ‘sings’ in the e-mails?
- In Sabadell, the mail arrives apparently from the real email server of the entity (there are ways to cheat this, or they may also have suffered the ‘hijacking’ of one of their accounts). However, it is very striking that they make use of a template that mentions the social network Google+who has been missing for years.
- In the case of the false mail from Santander, the trap is much more obvious: after the arroba we find the striking domain ‘autocentrobernardino.es’. Obviously, without any relation to the bank in question.
What about attachments?
Instead of meeting the usual PDF file (the most logical option taking into account the type of document that it is presumably), we find ourselves with compressed files that contain:
- In one case, an executable file .exe which opens GuLoader (a malware downloader that takes care of installing Formbook).
- And the other, a .v scriptbs that executes a PowerShell command with the aim of downloading and executing the malware on our system.
But what is Formbook and what can you do with our equipment?
form book is a type of malware specialized in stealing valuable information, which we know as an ‘infostealer’. Specifically, steals login credentials that it searches for and extracts from our PC (from email applications, from web browsers, and from FTP or VPN clients) and which then sends the cyber attackers over the Internet. They will later use it to access our personal information, or perhaps to send other malicious messages from our email account and thus continue spreading the cyberattack.
What do you have to remember to check so as not to fall victim to this campaign or a similar one?
- Banks only send e-mails from their official domains. It costs nothing to Google it for a moment before opening an attachment or clicking a link.
- The reference in the e-mail to non-existent social networks, or an inappropriately written text (bad spelling and/or grammar, or a vocabulary typical of other variants of Spanish if the company is from Spain) should make us suspicious.
- Nowadays, companies and institutions usually send their documents in Pdf format. Be wary of any other format.
- keep up always installed and updated a good anti-malware on your system.
- It is not so easy to steal credentials if we use a good password manager on our computer (and if, of course, we are not leaving these passwords saved in browsers and the like).
Images | Pxfuel (+ Banco Santander and Banco Sabadell logos), ESET
In Genbeta | This is how a phishing victim managed to receive from his bank the 12,000 euros that had been stolen in an SMS scam