It's only been a few days since we sent out warnings that hackers may take advantage of the #IceBucketChallenge popularity to scam or phish users online. We predicted that there might be some phishing or spoofed websites faking a donating page to steal donations from those kindhearted online donors. But now, we realized that we had been too conservative on those predictions as the attackers have been much more aggressive in their attacks. Hackers are not “satisfied” with these passive ways to draw victims. Instead, they've been very busy with a large-scale malicious email campaign targeting those who may have donated to the ALS cause recently.
In last few days, our email security team identified a stream of emails that looks like a Thank You message from the ALS Association for a contribution, titled “Thank You for your gift to The ALS Association!” Here is a screenshot:
Sounds simple enough, right?
The message itself is. However, it's the attachment that users need to be worried about – it's not the receipt it claims to be. The attachment is a word document — titled “receipt.doc” — and the message asks the users to print off the receipt to have a record of their donation. If the users do choose to click on the attachment, they will get much more than a receipt. Upon opening the attachment, the attackers will install malicious software on the victim's computer to steal data/passwords stored there.
The email trend went viral very quickly: within a few hours, we saw a spike to 20,000 messages, with the majority of the messages being very targeted attacks.
So what should you do if you receive one of these ALS Thank You scam emails?
- First of all (and as always), do not click any links or open any attachments in the email. This is true for any message you receive from an unknown source. In many cases, even if you do know the sender, you should still be careful to click or open attachments.
- Always make sure your anti-virus is up to date. Whether you are using a Windows PC or Mac OS computer, or an Android or iOS tablet/phone, buy and install an anti-virus software from a reputable vendor and keep it updated.
- Mark any suspicious emails as spam so that your email administrator or service provider can work to block such messages. You also can report the messages to US-CERT and APWG.
Customers running the Barracuda Spam Firewall and Barracuda Email Security Service with the latest security definitions are protected from this attack.