Editor’s note (5-28-2016, 1:36 PM EST): This article has been amended to add a technical correction. The attackers’ method of bypassing spam filters can be detected and prevented by email gateways with sender policy framework (SPF) enabled.
Locky ransomware has been infecting computers and networks all over the world in the past few months. Amazon customers have been deliberately targeted through malicious Microsoft Word documents to spread this malware.
Comodo Threat Research Labs discovered this spear phishing campaign. Security researchers labeled it as one of the largest spam ransomware attacks of 2016. This attack took place on May 17 and last for twelve hours. During this time, 30 million spam messages have been sent out to Amazon users under the disguise of being an order shipment update notification.
Spreading Locky Through Amazon-labeled Emails
A spam email campaign can only be successful if the emails appear to be genuine. The assailants tricked recipients into thinking these were emails originating from Amazon. This would be detected by controls on email gateways with sender policy framework [SPF] enabled. The attackers, however, cold bypass email gateway controls without this setting and deliver the Locky-infected Word files directly to Internet users.
According to Proofpoint, this Locky attack was spread from the US to European mail servers mainly. With legitimate email headers, users would open the email and any attachment associated with the message. Opening the document itself does not create the Locky ransomware infection, though, as users were prompted to enable macros. Once that step has been completed, the malware would download and install itself.
It is not the first time a spear phishing attack using Locky takes place. In March of 2016, there was a huge spike in ransomware distribution through spam messages. There is a growing concern over these Microsoft Office macro attacks, as they seem to be growing in popularity once again.
This wave of spam messages was not just aimed at Amazon customers, though. The assailants used a large email list in the hopes of enticing as many users to open the email. Consumers tend to forget they ordered something online, and seeing a shipping notification piques their interest. Not knowing what item this is about, they are more prone to opening the infected Word file.
Emails were sent through spam botnets running on hijacked virtual machines. Additionally, there were a fair amount of consumer PCs involved in the attack as well. Comodo Threat Research Labs mentioned how every Locky ransom message ranged from 0.5 to 1 Bitcoin.At this time, it is impossible to tell how many people have fallen for this spam message, and Amazon did not comment on the situation yet.
What are your thoughts on this new spear phishing campaign to spread Locky ransomware? Let us know in the comments below!
Images courtesy of Amazon, Shutterstock