These last months, our lives have been severely affected due to the pandemic. Many changes have also occurred because of the new working models. Larger and smaller organisations shift to full or part time remote work models. Within this context, there is a breeding ground for more Emotet malspam attacks. According to ESET, a well-known cyber security company conducted a global survey from July to October: Greece ranks first in this specific attack via Emotet with 17.7%, followed by Japan and Lithuania.
But what is Emotet malspam and what does it aim to do?
Emotet is a virus software that was first detected in 2014. Its latest versions work mainly as a Trojan horse that spreads via email. The attack works as follows: sent messages and contacts get intercepted by mail accounts that are violated. Then the virus, in a method called “conversation hijacking”, spreads itself further by sending to the intercepted contacts messages where an attached file has been swapped with an infected one.
These emails are being sent using a botnet, i.e. a compromised computer and someone else’s email account. So the recipient receives a message from a familiar contact with content that also seems familiar. It’s easy to fall into the trap of opening the attachment received and continue spreading the virus software.
The Trojan horse is hidden in the attached file that accompanies the message, or in a malicious script or link. This activates macros that install malware on the user’s computer, which is used to intercept passwords, bank cards or even remotely control the computer. In Greece, as we have already mentioned, there has been an extensive number of this type of attack, leading to a relevant announcement from the prosecution of cybercrime.
What measures should be taken?
The Emotet malspam attack is well designed. The email filters fail to detect the malicious code, as in terms of reliability and basic checks performed by a mail server (dkim, spf, dmarc) there is no problem detected. In addition, the message content does not contain characters or phrases that activate spam prevention rules, so it is quite impossible to limit it at a more central level. The most important actions to protect users are the following:
- Getting informed is the alpha and omega. The power of the attack comes from its ability to spread by unsuspected users who download malware to their computer. Practically, they recycle the attacks. You should not open links or files of dubious content and it is advisable to either delete (without opening) or inform the company’s IT.
- Follow basic security tips to protect your emails. If you find repeated Emotet attacks on your email from specific users you can block them with the following filters:
In case you use Horde -> Preferences -> Filters.
In case you use Roundcube -> Preferences -> Filters.
- Check if the sender’s real email is the same as the name displayed on the email received.
- Since these attacks mainly targeted the Windows operating system and get triggered by running macros, an updated malware protection software will protect the final user and limit the virus spreading. Also, for extra protection you could disable the execution of macros in applications that open .doc and .pdf files.
- Keep your operating system up to date with all the latest security updates.
- If a user keeps receiving recurring emails from previous communications they should email the users involved. Both sides should thoroughly check their computers, since one or more have definitely been infected.
- Check this useful website with which you can check if your email was or is a victim of this attack is the following.