{"id":16505,"date":"2022-07-06T15:29:46","date_gmt":"2022-07-06T15:29:46","guid":{"rendered":"https:\/\/myonlinesecurity.co.uk\/?page_id=16505"},"modified":"2023-04-05T12:42:18","modified_gmt":"2023-04-05T12:42:18","slug":"spoofed-fbi-tiket-alert-delivers-locky-ransomware","status":"publish","type":"page","link":"https:\/\/myonlinesecurity.co.uk\/spoofed-fbi-tiket-alert-delivers-locky-ransomware\/","title":{"rendered":"Spoofed FBI Tiket Alert Delivers Locky Ransomware"},"content":{"rendered":"
An email Spoofing the FBI with the subject of\u00a0Tiket alert 331328222 pretending to come from\u00a0random senders \u00a0with a malicious word doc downloads locky ransomware<\/p>\n
They are using email addresses and subjects that will scare or\u00a0entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.<\/p>\n
FBI has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.<\/p>\n
The email looks like:<\/p>\n
From<\/strong>: Ngoc Trane <dpeupyl0386@eiv.cl><\/p>\n Date<\/strong>:\u00a0 Mon 23\/01\/2017 13:14<\/p>\n Subject<\/strong>: Tiket alert 331328222<\/p>\n Attachment<\/strong>: information.doc<\/p>\n Body content<\/strong>:<\/p>\n From:\u00a0\u00a0 FBI service [dpeupyl0386@fbi.com]<\/p>\n Date:\u00a0\u00a0 Mon, 23 Jan 2017 14:14:09 +0100<\/p>\n Subject:\u00a0\u00a0 Tiket alert<\/p>\n <\/p>\n Look at the attached file for more information.<\/p>\n Assistant Vice President, FBI service<\/p>\n Management Corporation<\/p>\n <\/p><\/blockquote>\n Screenshot<\/strong>: none<\/p>\n <\/p>\n 23\u00a0January 2017 :\u00a0information.doc \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Current Virus total detections:\u00a0\u00a0Payload Security\u00a0<\/u>\u00a0shows a download\u00a0 from\u00a0http:\/\/unwelcomeaz.top\/2\/56.exe\u00a0<\/strong>\u00a0 (\u00a0VirusTotal<\/u>)\u00a0Payload Security\u00a0\u00a0\u00a0Last week this site was delivering Locky ransomware, which is continuing today. It also looks like this Locky version is trying to download & install opera browser as well. I can\u2019t see any reason for it, except try to confuse the recipient who thinks the file is innocent. The actual 56.exe pretends to be an adobe \u00a0flash player\u00a013 file<\/p>\n Previous campaigns over the last few weeks have delivered\u00a0numerous\u00a0different download sites and malware versions. There are\u00a0frequently 5 or 6 and even up to 150 \u00a0download locations on some days,\u00a0sometimes\u00a0delivering\u00a0the exactly same malware from all locations and sometimes slightly different\u00a0malware versions. Dridex \/Locky\u00a0 does update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware or\u00a0\u00a0Banking password stealer Trojans.<\/p>\n All the alleged senders, companies, names of employees, phone numbers, amounts, reference numbers etc. mentioned in the emails are all innocent and are just picked at random. Some of these companies will exist and some won\u2019t.\u00a0\u00a0Don\u2019t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found<\/strong>\u00a0<\/span>.\u00a0 The bad guys choose companies, Government departments and other organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.<\/p>\n This email attachment contains what appears to be a genuine word doc or Excel XLS spreadsheet\u00a0with either a\u00a0macro script or\u00a0 an embedded OLE object that when run will infect you.<\/p>\n Modern versions of Microsoft office, that is Office 2010, 2013, 2016\u00a0and Office 365\u00a0should be automatically set to higher security to protect you.<\/p>\n By default\u00a0protected view<\/u>\u00a0is enabled and\u00a0\u00a0macros are disabled, UNLESS you or your company have enabled them.\u00a0 If\u00a0protected view\u00a0mode is turned off and macros are enabled then\u00a0opening this malicious word document will infect you, and simply previewing it in\u00a0 windows explorer or your email client might well be enough to infect you.\u00a0Definitely DO NOT follow the advice they give to enable macros or enable editing to see the content<\/strong>.<\/p>\n Most of these malicious word documents either appear to be totally blank or look something like these images when opened in\u00a0protected view\u00a0mode, which should be the default in Office 2010, 2013, 2016 \u00a0and 365.\u00a0 Some\u00a0versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content.\u00a0\u00a0Do NOT enable Macros or editing under any circumstances<\/strong>.\u00a0<\/span><\/p>\n\n