Good day, welcome to another bulletin from Breaking Scams…
Scam, just in…
We’ve written a lot about phishing emails that contain links that if clicked on end in stolen data and login credentials. However, we have not yet talked about the other side of phishing, the phishing email attachment.
This week’s scam is an example of how malicious attachments can wreak havoc on your company.
This scam comes courtesy of a client. But there are many other examples of similar rouses which end the same – a malware infected machine or even an infected network and/or stolen data and login credentials.
This scam was a bit unusual compared to other scams we have mentioned. And it was also unusual in terms of infected email attachments. Let me tell you why.
The email was not branded. Often, phishing emails will use well-known brands to trick users into feeling the email is safe. Instead, this email had no body content, only showing the company email signature. However, the sting in the tale was the attached file which was of the format .eml.
Interestingly, the email also came from a contact known to us – so had clearly made use of the victim’s address book / contract list, to further propagate the attack.
EML file format is the format of an email itself – so the email had an email as an attachment. Normally, infected attachments come into your Inbox in the form of a PDF, Word, or Excel document. The reason for this is that those document formats can hide executable software code which runs on clicking open. This code installs malware, such as ransomware and software that logs keystrokes allowing cybercriminals to steal login credentials.
The email was also addressed to ‘anyone’ or in other words, it went to all contacts using BCC. This means it was mass emailed because even a single person opening the .eml attachment would result in disaster.
Security firm, F-Secure found that 85 percent of malicious attachments were made up from the file types ZIP, .DOC, .XLS, .PDF, and .7Z. In this week’s scam, an EML attachment was likely used as it could more easily circumvent anti-malware software, i.e., it was able to get through any technology gateways used to trap phishing emails.
What Happens When You Open the EML File?
The answer to this is that it depends. This type of scam has been doing the rounds for not only years but decades. In 2001, a malicious software called Nimda, which is a type of malware known as a “worm”, caused around $50 billion worth of damage. The EML file that contained the Nimda worm, had itself, an embedded audio file, which carried the infection.
Today, the modern equivalent of this scam is that the EML attachment opens a second email which contains malicious, but enticing, links. Click on the link and your machine becomes infected by malware or you end up exposing personal data. The end result is always the same, the cybercriminal wins.
What to Do If You Receive This Type of Message
Because the .eml extension is caught less often by email gateways, you must train your staff about this phishing email. Secure awareness training is the best way to stop phishing initiated malware infection.
Why not help your colleagues in infosec stay safe and share this post – or, alternatively, feel free to copy and paste the below for sharing:
If you receive an email which has no content and carries an attachment, including a document with a .eml extension, do not under any circumstances open the attachment.
This is a phishing email and the attachment could either:
- Infect your machine with malware if you open the attachment.
- The .eml file may open another email which encourages you to click links. DO NOT click on any links.