Threat Spotlight: Attached Password Stealer

Print Friendly, PDF & Email

Earlier this month we revealed a new security advisory platform — Barracuda Security Insight, which provides real-time threat intelligence and risk information to help raise awareness about the current IT security threat levels. One of the reasons we’re excited about the platform is because anyone with Internet access can use it as a way to check in on the different threats that might be lurking around the web.

For example, if we’re seeing an uptick in PDFs that contain malware, Barracuda Security Insight will flag this threat as a “critical alert,” with a description of the threat so people know what to avoid as they go about their day. For this month’s Threat Spotlight, we are taking a look at a recent “critical alert” that was flagged by Security Insight for attempting to steal user passwords by using attached Word or Excel documents that claim to be tax forms or other official documents. Cybercriminals regularly go after user passwords and credentials; however, we’re continuing to see criminals come up with clever ways to persuade users into sacrificing their sensitive information. Here’s what we found this time:

Highlighted Threat:

Password Stealers — Cybercriminals are using common attachment file types to steal user passwords.

The Details:

Cybercriminals are constantly distributing various types of malware based on their objectives, which are often monetary. While Ransomware is a common means to this goal, holding data for ransom is not the only means of monetizing malware distribution. Companies are constantly trying to gain as much consumer browsing information as possible in order to target advertisements and mine user data; however, information that is intended to be secret—is even more valuable. There is a booming black market for stolen passwords within criminal communities, making malware that obtains these passwords profitable to distribute. The widespread use of software that stores passwords (from browsers for instance), and password management solutions compound the problem even more since a large number of passwords are already sitting on many users’ computers just waiting to be stolen.

Here are a couple of real-life attempts where cybercriminals are hoping to walk away with user passwords. In the first example, attackers are attempting to encourage the recipient to open the attachment by using urgent language to make the message appear important. Additionally, by naming the attachment “taxletter.doc,” the attachment appears like it could be something important such as a tax document. Lastly, by using a Word Document as an attachment, the attackers increase their chances of actually having the file opened due to the familiarity people have with these file types.

Here’s another example of an email where the attackers are attempting to make their message and attachment appear important by claiming that a PO is attached. The only difference here is that the attachment is an Excel file, which of course is another common file type that people are familiar with—making it less likely that they will suspect anything malicious.

Unfortunately in both of these examples—if the user actually opens these attachments, there’s a good chance their passwords would be stolen. So, how did we get here?

The Evolution of Password Theft

Prior to the availability and popularity of storing passwords for convenience, stealing passwords would require infecting a user with malware that logs keystrokes and transmits this data over the network at regular intervals. While this technique is still used, the anomalous network traffic it produces increases the likelihood of discovering the malware before many—if any—passwords would have been stolen. With the advent and increasing usage of saving passwords; however, malware can simply break whatever security mechanism is protecting the passwords and upload them all at once. This makes detection more difficult at the network level since there’s only one burst of traffic to detect before the passwords have been exfiltrated, unlike with keyloggers where periodic transmission creates time and patterns to detect the malicious traffic.

Regardless of the means, once passwords have been stolen they can be monetized based on what they provide access to. Banking passwords are obviously the most easily monetized since criminals can simply attempt to transfer funds from your account to theirs, but even email and social media passwords have value. The majority of email and social networking accounts provide access to a larger number of users that can be spammed or phished directly, plus email addresses for these users may be available, which can also be added to lists and sold to spammers. Hacked email accounts are also commonly used to attempt to scam saved contacts by impersonating the account owner and claiming to be stranded abroad, requiring money to return home. Windows passwords may also be targeted, not only for the potential of re-use with accounts for which the password isn’t saved, but also for potential access to corporate networks and resources when business computers are compromised.

As with malware in general, password stealers have a variety of distribution methods, most of which involves phishing emails containing an attachment or URL. Since it is much easier and more cost-effective to detect malicious attachments on the email server itself than a user’s computer, a variety of different file types and distribution methods are used to try to evade this sort of security, especially the more naive approaches such as simply blocking certain file types. Password stealers may be compressed in any number of archive formats to evade file type blocking—sometimes using fake file extensions that will still allow the file to be opened in the desired archive software.

It is also common, however, to utilize trusted file types to evade server detection and download the malware payload when the user executes the file. Microsoft Word and Excel documents with macros that download password stealers are quite common and can be more difficult to detect than sending the payload itself. While these have the drawback that the macro must be run by the user, social engineering is used to attempt to get the user to do this.

To recap, the techniques being used in these attacks are: 

  • Phishing: Attackers send emails that encourage recipients to open attachments containing malicious content.  
  • Impersonation: Malicious attachments are disguised as official documents such as important tax forms.  
  • Avoiding Detection: Attackers use trusted file types like Word and Excel to hopefully evade server detection.   

Take Action: 

User Security Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training.  

Layering employee training with an email security solution that offers sandboxing and advanced threat protection should block malware before it ever reaches the corporate mail server. And, for additional protection against messages that contain malicious links, you can deploy anti-phishing protection that includes Link Protection to look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document. 

Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is a cloud service that utilizes AI to learn an organization’s communications history and prevent future spear phishing attacks. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time and identifies the most high-risk individuals inside the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.  


Related Posts:  

Threat Spotlight: Cybercriminals are Impersonating Google Docs, Outlook and DocuSign to Steal Your Credentials  

Threat Spotlight: Clever Cybercriminals Spoof Scanners by the Millions 

Threat Spotlight: Invoice Impersonation Attack  

Threat Spotlight: Office 365 Account Compromise — the New “Insider Threat” 



Scroll to top