Rise of Email Scams and CryptoWall

A new rise of IT risks are on the loose, an email scam requesting a fake wire transfer and a new variant of CryptoWall. It is estimated that the fake wire transfer scam has stolen around $1.2 billion and CrytpoWall 3.0, a CryptoWall variant released in January 2015, has already extorted an estimated $325 million.

Email Scam – Fake Wire Transfer Request

A new email scam has been circulating recently that requests a money wire transfer. The emails are typically sent to specific individuals and look like they came from someone else within the same Organization. The contents of the email usual ask for an urgent wire transfer request. Below is how a typical wire transfer scam email may read:

I need you to take care of a payment (Wlre Transfer) as soon as possible.
Let me know as soon as you get this email so I can provide you with the amount and banking info for the receiver, as well as reference.
Sent from my iPhone

In this type of attack, the target’s name and email address and the name and email address of someone else in the company whom the target might trust is known by the scammer. The attacking Organizations have registered email domains that are very similar to the recipients. For example: xyzwigdets.com instead of xyzwidgets.com. The wire transfer email is then sent from the fake domain. instead of the email coming from [email protected] the email comes from [email protected]. The attackers are banking on the fact that some people will not notice the difference in spelling and will not suspect anything fishy.

Some people might refer to this as a phishing or spear-phishing attack and wonder how it got through their spam and antivirus filter. It is not phishing, rather it is a low-volume, highly-targeted “confidence trick” that does not have the same markers as a typical phishing email.

This is an old-school trick that is not often seen in email scams. The scammer cons the victim slowly, first gaining their trust and then moving in for the kill.

In some of the emails received, the first email doesn’t even request a specific amount of money. It asks the victim if they could initiate a wire transfer today. The victim thinking it’s coming from a co-worker who might ask for a wire transfer, replies to the scammer. The scammer then engages in a brief email exchange, eventually asking for a specific amount. The scammer even confirms the money went through, probably to prevent the victim from becoming suspicious and reversing the transfer.

CryptoWall 4.0

CryptoWall 4.0 is the latest variant in the CryptoWall family of viruses. If unfamiliar with CryptoWall (Trojan: W32/Cryptowall) it is a piece of ransomware software that silently encrypts files on the victim’s machine and then demands a ransom to provide the decryption key needed to decrypt the files and restore the machine. Typically, the ransom is between $500 and $700.

In the latest 4.0 variant of CryptoWall the software not only encrypts files it now also encrypts filenames. According to industry experts this is done to confuse the victim and ultimately make them more likely to pay the ransom demanded.

CryptoWall 4.0 also contains a significantly different ransom message that previous versions. Earlier versions have tried to frighten and harass victims. Now, instead of being a threat from the attacker, the message recommends “purchasing the software package” for some sum on money, payable in Bitcoin, to restore any encrypted files.

Similarly, the software has also changed the ‘help’ files located in the encrypted directories. The new files that are created are titled “HELP_YOUR_FILES.” If opened it says “Congratulations! You have become a part of large community CryptoWall!” Instructions are then provided on what to do to pay the ransom and decrypt your data.

Protect Yourself
Trojan Alert Email Popup - Antivirus
An example of an ESET alert window that popped up to warn me that one of the incoming emails contained the infected files. My anti-virus removed the infected email.

Make sure your email client has a top-grade anti-virus solution that would catch most of the offending trojans. Further, the best course of action is to educate yourself and any Organization members. Do not blindly open or reply to any emails from unknown or suspicious senders.

If you receive an email asking to perform a wire transfer call or ask the sender first to ensure that the request is valid. If a reply email is sent, the attacker knows that the email address is legitimate and will continue to send fake wire transfer emails to your Organization.

Similarly, do not open emails that look suspicious. Cryptowall is typically delivered through an email inviting a user to click a link or open an attachment. Once the link or attachment is opened, the software is silently installed and executed. Once executed, there is typically no turning back.

Contact your IT department. powersolution.com is always available. If an email looks suspect please give us a call at (855) 551-7760 so we can review it and see if any further action is required.

How is your state of IT? Call Us: (855) 551-7760 with any questions.