Incident Response, Malware, TDR

Spammers leverage DMARC to more successfully distribute ransomware

By leveraging email authentication methods to ensure that malicious messages evade spam filters and end up directly in inboxes, attackers are improving the chances of infecting users with TorrentLocker ransomware, according to researchers with Trend Micro.

These latest TorrentLocker emails use Domain-based Message Authentication, Reporting and Conformance – or DMARC – which is typically used to mitigate email abuse, Jon Oliver, senior architect with Trend Micro, told in a Tuesday email correspondence.

According to the DMARC website, DMARC protects 60 percent of global consumer mailboxes.

“It does this because many of the large ISPs use it to automatically monitor domains – typically those that are victimized by phishing,” Oliver said. “The owner of a domain can get reports from the ISPs which show how their domain is being abused.”

In this instance, DMARC is enabling the spammers to get information about what is happening to their malicious emails, and that data can be used to improve the delivery rate of their spam, Oliver said. He added that DMARC sometimes gives a “positive score” to emails that are “authenticated,” thus increasing the chances of spam being successfully delivered.

Much of the latest TorrentLocker spam being distributed notifies recipients that they have been fined for speeding, or that they have received a package, Oliver said.

The recipient is instructed to click on a link, which takes them to a fake website where they are told to download a file about the fine or package. When downloaded and opened, the recipient becomes infected with TorrentLocker, which encrypts the files on the computer and demands a ransom.

Australia is the country most affected by TorrentLocker, according to data gathered since November 2014 and included in a Friday post. United States, Italy, Philippines, and France are also on the list of top affected countries.

To protect against these types of threats, Oliver said to backup files using an automated cloud backup solution, to be careful with shared storage devices, and to have defense solutions such as anti-malware. He also warned to keep an eye out for CAPTCHAs.

“When you see a [CAPTCHA] – then take care – if you are at all suspicious, use the phone to call the organization involved,” Oliver said. “This item is TorrentLocker specific – they nearly always use [CAPTCHA] as a part of their social engineering.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.