Home Malware Bogus ‘Account Compromised’ Email Contains Macro Malware

Bogus ‘Account Compromised’ Email Contains Macro Malware

by Brett M. Christensen

Outline:
Email claims that a suspicious logon attempt to your account was detected and you should therefore open an attached report to view further details.

Brief Analysis:
The email is bogus. It is not from the company named as the sender and the ‘suspicious logon attempt’ claim is just a trick designed to get you to open the attached file.  The attached .zip file harbours a Microsoft Word document that contains a malicious macro. If allowed to run, the macro can download and install malware.

Example:
Subject: Account Compromised

Attention!
Suspicious logon attempt to your account was detected (Chrome browser, IP-address: [removed])
Reason: unusual IP
Please refer to the attached report to view further detailed information.[Name of company removed]
tel. [removed]Email has an attached file called ‘Security Notification.zip’. The .zip file contains a Microsoft Word file called ‘security_report[random numbers].doc’.


Detailed Analysis:
According to this email, which has the subject line ‘Account Compromised’, a ‘suspicious logon attempt’ to your account has been detected. The message lists the type of browser used in the login attempt as well as the supposed attacker’s IP address. It suggests that you refer to an attached report to access further information. The email also includes the name and phone number of the company that supposedly detected the compromise and sent the warning.

However, the email is not a valid security warning and it was not sent by the company it mentions. Instead, the email is an attempt by criminals to trick you into allowing malware to be installed on your computer.

If you open the attached .zip file in the hope of reading more information about the supposed compromise, you will find that it contains a seemingly innocuous Microsoft Word document. However, if you then attempt to open the Word document, you will receive a message stating that you need to enable macros to view the contents. Alas, the macro is malicious and, if you enable macros as requested, it will download and install malware on your computer.

The exact type of malware that is downloaded by the macro may vary. In some cases it may install malware that can steal sensitive information such as banking passwords from your computer. In other cases it may install ransomware that can lock your computer’s files and then demand that you pay a ransom to online criminals to receive an unlock key.

Details in these emails, including the name and number of the company that supposedly sent them and the listed browser and IP address may vary. Keep in mind that the companies listed as the senders in these emails are in no way responsible for the malware attacks. The criminals have simply used these company names to make their messages appear legitimate.

Macro malware attacks are increasingly common. Be wary of any email with an attachment that claims that you must enable macros to view the content.  There is no reason why you should need to enable macros just to view an ordinary document such as an invoice or security report. Unless you have a specific need to use macros and understand their potential risks, you are best to leave macros disabled.

If your unfamiliar with macros, you can read more about them here.



Malware

Last updated: May 25, 2016
First published: May 25, 2016
By Brett M. Christensen
About Hoax-Slayer

References
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Suspicious logon attempt or Account Compromised leads to Dridex
Malware Threat Articles

 

Since you’ve read this far…

…can I ask you for a big favour?

To enhance your privacy and security and offer you a better user experience, Hoax-Slayer is now ad-free. To keep the site online, I now rely on voluntary contributions from site visitors along with commissions from a few trusted products and services that I promote via reviews on the site.

If you found the above report useful, please consider supporting Hoax-Slayer by making a donation. Any amount you can give will be greatly appreciated.

You can donate using your credit card via the form below. Donations are collected securely via the online payment service Stripe. Stripe uses state of the art security to keep your data safe.

Thank-you.
Brett Christensen