Spam email Emotet steals bank account credentials from German language users

140829_mainMicrosoft revealed a new variant in the Win32/Emotet family of malware that is targeting German-language users for their banking credentials. Emotet uses phishing scam emails that contain fraudulent claims such as spoofed invoices from banks – even pretending to be Paypal – in order to lure users into clicking. It has been reported that Emotet is also trying to scam users with authentic looking telephone bills as well. The spam email is difficult to block because it uses compromised email accounts as a way to deliver spam to users. If the email sender used a generic email account or something that was not recognized by the email server, chances are good that the email would be flagged and then moved to the spam folder or deleted all together. But this is not the case. The spam email after translation reads:

“Your deposit

Good day,

Your statement has been cancelled before we recorded contact with the bank.

More details are abailable here: your deposit.

With warm regards, the Volksbank team”

When the user clicks on the hyperlink, a .zip file will download that contains an executable file. The file name is extremely long in an attempt to hide the .exe extension. They look like these:

  • de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
  • E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
  • Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

The email also contains a .PDF file attachment where users are enticed to click on. Once downloaded, the file will install the malware on the users computer. Once the malware runs, it begins to monitor network activity and steals online banking credentials when a user attempts to log onto a banking website.  The malware is also capable of stealing email account credentials and passwords from messaging programs. The information is then transmitted back to the hacker’s command and control server.

Microsoft found that the malware is stealing credentials from:

  • Gmail Notifier
  • Google Desktop
  • Google Talk
  • Group Mail
  • Mozilla Thunderbird
  • MSN or Windows Live Messenger
  • Netscape 6 and Netscape 7
  • Windows Mail and Windows Live Mail
  • Yahoo! Messenger

As with any new threat or an existing one, never open attachments or follow hyperlinks that you are not familiar with. These phishing attacks still occur because users still fall for the same tricks. The most important thing you can do to protect your identity is to be vigilant. If it does not look right or you are not sure, then do not click on that link or open that attachment. Ensure your Emsisoft Anti-Malware is enabled as well. Do not get caught off guard – hackers are depending on it.

  • Cat Tilley

    No financial institution is going to send such an email, any notices will be delivered by the local postal or mail service of the region.

    It’s simply smart computing not to click onto such links, even to open & read. Mark them as spam or junk & delete.

    “Your statement has been cancelled before we recorded contact with the bank.”

    That’s an obvious red flag just by the way it’s worded. Statement cancelled? Oh, the crap folks fall for these days. Betcha anything that having Emsisoft Anti Malware installed would have intercepted this as what it is, SPAM!

    I’ve had so called “PayPal Verification” emails, just mark as spam & go about my business.

    Using a computer requires a generous dose of personal responsibility.