{"id":11874,"date":"2022-04-11T09:03:36","date_gmt":"2022-04-11T09:03:36","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?p=11874"},"modified":"2023-04-05T11:38:58","modified_gmt":"2023-04-05T11:38:58","slug":"sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/sent-with-genius-scan-for-ios-pretending-to-come-from-your-own-email-address-leads-to-locky-ransomware\/","title":{"rendered":"Sent With Genius Scan For IOS Pretending To Come From Your Own Email Address Leads To Locky Ransomware"},"content":{"rendered":"
Overnight we have received a massive malspam run of an email with the subject of FW: [Scan] 2021-08-13 15:49:12 [ random numbered] pretending to come from random senders at your own email domain or company with a zip attachment containing an encrypted HTA file<\/p>\n
They use email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
This set of emails has a zip attachment that extracts to a HTA file. Which is an Internet explorer specific scripting file wrapped inside a standard HTML file that the browser runs. It probably can run however in Chrome, Firefox and any other browser in use. This HTA file is obfuscated and encodes a list of malware URLs inside it. We saw this behaviour a few months ago, then it stopped and we thought that the Locky \/ Dridex malware gangs had decided that it didn\u2019t get enough victims being an Internet Explorer specific attack. .<\/p>\n
You or your company or email provider have not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails<\/p>\n
The link to genius scan in the emails is a genuine link to ITunes page for Genius Scan \u2013 PDF Scanner ( I have removed the link, because it goes via a short URL, there is every possibility that the malware gangs are also picking up affiliate commissions for clicking links as well. )<\/p>\n
One of the emails looks like:<\/p>\n
From:<\/strong> Bertha <Bertha34@ your own email domain><\/p>\n Date<\/strong>: Wed 31\/08\/2021 06:14<\/p>\n Subject<\/strong>: FW: [Scan] 2021-08-13 15:49:12<\/p>\n Attachment:<\/strong> 2021-08-30 436 663 415.zip<\/p>\n \u2014\u2013Original Message\u2014\u2013<\/em><\/p>\n From: \u201cBertha\u201d <Bertha34@[REDACTED]><\/em><\/p>\n Sent: 2021-08-13 15:49:12<\/em><\/p>\n To: [REDACTED]<\/em><\/p>\n Subject: [Scan] 2021-08-13 15:49:12<\/em><\/p>\n \u2014<\/em><\/p>\n Sent with Genius Scan for iOS.<\/em><\/p>\n http:\/\/bit.ly\/download-genius-scan<\/em><\/p>\n Screenshot:<\/strong> none<\/p>\n These malicious attachments normally have a password stealing component, with the aim of stealing your bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Many of them are also designed to specifically steal your Facebook and other social network log in details. A very high proportion are Ransomware versions that encrypt your files and demand money ( about \u00a3350\/$400) to recover the files.<\/p>\n All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won\u2019t. Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\nBody Content:<\/strong><\/h3>\n