1. Watch Out for WIM Files
Windows Imaging Format (WIM) files are showing up in current attacks according to researchers at Trustwave. This file type was developed by Microsoft to deploy software components and updates. It isn’t commonly thought of as potentially malicious, so it’s more likely to bypass security filters. It’s also a sign of the creativity of these criminals – as we catch on to their tactics, they will change their approach.
The way this recent scam presents is an an invoice or information from a courier service. The attached WIM file has malware hidden inside that will be installed on your computer if you open it.
How can you avoid this scam?
- There are 2 positive aspects about this method of attack. It’s an unfamiliar file type to most people, which should raise a red flag. It’s also more difficult to open a WIM file than just clicking on a typical attachment. Like a zip file, it involves extracting, which means you should be prompted before the real damage is done. This doesn’t make it safe though, so stay alert.
- As with any unsolicited email with an attachment, stop and think before you click. Who is the courier? If you have not shipped something, it wouldn’t make sense to be getting an invoice. Do you normally receive invoices? If not, call your IT partner and have us check it out first.
2. Exploiting Google Docs
Sharing documents through Google is incredibly common now, even among Microsoft 365 users. Many businesses use Google Workplace, and billions of individuals have personal Gmail and Google Drive accounts. Scammers want to capitalize on this and have figured out how to use this legitimate Google service and the way it renders HTML to send emails that have authentic Google links and hide their true intent.
Two hugely successful methods have been reported by experts. One involves sending a document-sharing link and the other appears to be a notification from DocuSign. These emails look convincingly real and have authentic Google Docs links because of how the criminals have used these public Google services. In both examples, however, the next step holds the danger.
In the document-sharing example, you receive an email with a Google Docs link. The link looks fine because it is actually coming from Google. But when you click through, the page you land on is actually a custom HTML page made to look like the Google Docs sharing page. And the download link there will send you to a fake sign in page where they will steal your credentials. The URL on the fake sign in page will show that you are no longer on Google’s website, but when everything else looks familiar, it’s easy to forget to check.
Similarly, the DocuSign email appears as you would expect it to because of how it was created in Google Docs. It is a spoof, however, and clicking the View Document button takes you to a Google Docs page that is made to look like the DocuSign login, not the actual DocuSign website. The login button on that page has a ‘listener’ embedded that will send your credentials to the criminals when you click it.
So how can you stay safe from this?
- We need to accept that scammers will continue to evolve their tactics to make money. It used to be that all you needed to do to check a link was to hover your mouse over it and see where it was pointing before clicking it. But with email sending services that mask legitimate links for tracking purposes, and this new trend of hiding behind authentic Google Docs links, we need to be more careful. I won’t say don’t ever click another link. That would be ridiculous. But any time you do click a link, if an action is requested after that, such as a login or download, stop. Check the URL. Check with the initial sender. Or ask us to check it out for you first. The threats keep changing, and we don’t expect you to recognize every danger on your own.
- Remember that your natural human curiosity can be used against you. Wondering how much that invoice might be for or what’s in that shared document someone sent to you is designed to make you click. Stay alert even when it’s the 892nd email you’ve received this week.
3. Fourth of July Phireworks
Independence Day may not seem as likely a target as Thanksgiving or Christmas, but every holiday brings a surge in scams. Even Amazon Prime Day, more of an event than a holiday, saw verification email scams and more than two thousand new domains registered about Amazon in the last 30 days.
Scammers take advantage of events and holidays for a variety of reasons. For one thing, the time-sensitive nature makes us more likely to click for fear missing out. For another, sending emails at the right time can make them appear more legitimate. Think about receiving a summer barbecue deal in July versus in December; the very same email could be easily dismissed as junk when sent at the wrong time. Events and holidays help camouflage the scammers.
So for the Fourth this year, experts are warning us to look out for fake pandemic information such as updated event listings or health rules, vaccine information or requirements, plus the usual retail sales and deals.
What can you do against this?
- Remember that when a deal seems too good to be true, it usually is. If you click a link for an offer and it then asks you for personal information in order to be ‘eligible,’ find a way to confirm it is legitimate before entering. Navigate to the company’s website independently or look them up and call first. And whenever possible, pay with your credit card online. Reporting fraud and getting your money back is often easier with credit cards, and your bank account information can remain separate and secure.
- Pandemic and vaccine information can be tricky. Scammers typically spoof larger entities at the state and federal level, so look out for new or lifting restrictions notices or government regulations about vaccines. Travel requirements and warnings could also appear. At the local level, rules for attending the town fireworks may really be different this year. To be safe and get the right information, go to your town or county website independently.
