Spam email Emotet steals bank account credentials from German language users

9 years ago

Microsoft revealed a new variant in the Win32/Emotet family of malware that is targeting German-language users for their banking credentials. Emotet uses phishing scam emails that contain fraudulent claims such as spoofed invoices from banks – even pretending to be Paypal – in order to lure users into clicking. It has been reported that Emotet is also trying to scam users with authentic looking telephone bills as well. The spam email is difficult to block because it uses compromised email accounts as a way to deliver spam to users. If the email sender used a generic email account or something that was not recognized by the email server, chances are good that the email would be flagged and then moved to the spam folder or deleted all together. But this is not the case. The spam email after translation reads:

“Your deposit

Good day,

Your statement has been cancelled before we recorded contact with the bank.

More details are abailable here: your deposit.

With warm regards, the Volksbank team”

When the user clicks on the hyperlink, a .zip file will download that contains an executable file. The file name is extremely long in an attempt to hide the .exe extension. They look like these:

de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

The email also contains a .PDF file attachment where users are enticed to click on. Once downloaded, the file will install the malware on the users computer. Once the malware runs, it begins to monitor network activity and steals online banking credentials when a user attempts to log onto a banking website. The malware is also capable of stealing email account credentials and passwords from messaging programs. The information is then transmitted back to the hacker’s command and control server.

Microsoft found that the malware is stealing credentials from:

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Gmail Notifier
Google Desktop
Google Talk
Group Mail
Mozilla Thunderbird
MSN or Windows Live Messenger
Netscape 6 and Netscape 7
Windows Mail and Windows Live Mail
Yahoo! Messenger

As with any new threat or an existing one, never open attachments or follow hyperlinks that you are not familiar with. These phishing attacks still occur because users still fall for the same tricks. The most important thing you can do to protect your identity is to be vigilant. If it does not look right or you are not sure, then do not click on that link or open that attachment. Ensure your Emsisoft Anti-Malware is enabled as well. Do not get caught off guard – hackers are depending on it.