Microsoft security researchers are warning consumers about a string of fraudulent emails, purportedly from MasterCard, telling card owners they need to click on an attachment to avoid an unwanted charge.
However, once clicked Cerber ransomware is installed.
Making matters more interesting is that these cybercriminals also had to include a fake set of instructions, supposedly from Microsoft, telling the intended victim how to open the attachment. These are needed because the malicious attachment used is a Microsoft Word document and any Word doc arriving from an untrusted source is shown only in Protected View and its macros are disabled. In this state the attachment is harmless so the bad guys have to give step-by-step instructions on how to open the doc and enable the macros to the malware can be downloaded.
Both the Microsoft and MasterCard messages are fairly easy to spot as fakes. The former is a bit better constructed as it contains a Microsoft logo, but the company points out that it never asks a consumer to enable a macro.
The MasterCard component is riddled with typos and punctuation errors and appears quite amateurish.
“There are some social engineering flaws in the attack emails. In our sample, the sender address does not spoof MasterCard or a bank, making it much less convincing. Also, the apparent use of automated code to copy the recipient local-name to the salutation section of the message and the file name of the attached document is a giveaway,” Microsoft wrote.
What does make this a somewhat effective tactic is the email is personalized with the victim’s name used in several places.
In addition, the use of a password protected Word document helps the email avoid detection and Microsoft’s researchers said the password may also make the document appear more legitimate to the target.