Image courtesy of csoonline.comWith the holiday season upon us, it’s time for people to celebrate and give thanks. Cybercriminals also rejoice in the chance to take advantage of “good cheer” in many ways. Targeted phishing attacks are one of them. Recently our email security analysts in the EdgeWave Threat Detection Center found the latest example—a new Thanksgiving Holiday Virus.

The email was first caught when EdgeWave customers submitted it via our Postdelivery Detection anti-phishing solution ThreatTest. The email was automatically routed to our Threat Detection Center and instantly run through seven different AV engines. The virus was identified, hinting that perhaps this was yet another variant of the well-known, and widely spread, Trojan.Emotet. EdgeWave analysts generally see the Trojan.Emotet samples dealing with accounting or finance phishing email. Recent examples include B2B Invoices, Payments, Payroll, Update Personal Information, DHL, PayPal, UPS, BOA, Wells Fargo, Acknowledgment, Factura and Intuit Invoice. The possible use of Trojan.Emotet in a holiday themed campaign is a unique twist.

The campaign successfully imitates legitimate user names, email addresses and email signatures. As people rushed for the long holiday weekend, the apparent legitimacy increases the challenge for unsuspecting users to differentiate good from bad based on the tenants of Security Awareness Training. The messages even go so far as to include actual Thanksgiving quotes (W.J. Cameron and Marcus Samuelsson are two examples), using multiple versions to defeat email security solutions using fuzzing techniques to look for similarities. All in all, these were very impressive phishing messages designed to trigger holiday emotions for lax (holiday focused) users.

Attached to each message is a Thanksgiving Day greeting card variant. The content of these emails may easily be interpreted as innocuous and harmless to the recipient. eGreeting cards are very popular during this time of year and many companies send out holiday greetings to their employees. What made detection more difficult is the different names used for the attachment. While “Thanksgiving Day” is commonly used in the attachment name, EdgeWave has seen variants where this was not part of the name.

Trojan Emotet Phishing

EdgeWave predicts that this is the opening salvo in a long line of holiday themed phishing campaigns. Holidays and popular events (think World Cup) are always lucrative for cybercriminals and everyone should be extra cautious. Unfortunately, most people tend to do the opposite, thinking everyone is in the holiday spirit. Below are a few simple steps to protect yourself from this campaign, both at work and home.

  1. eGreeting cards in most cases will not be attached to the email and will not be in .doc (MS Word Format)
  2. Look at the sender of the ecards. The sender can easily be spoofed. Before opening any attachment check with the person who supposedly sent the email by other means than replying to the email. An email reply may just go back to the person spreading the virus.
  3. Look for valid ecard websites in the email (hallmarkecards.com, americangreetings.com, bluemountain.com, 123greetings.com). These will most often be links within and not attachments.

Sample Subject lines EdgeWave saw for this attack:

  1. Thanksgiving Day Congratulation
  2. Happy Thanksgiving Day Greeting Message
  3. [Recipient Name] Thanksgiving eCard
  4. Happy Thanksgiving Day Message
  5. Happy Thanksgiving Day wishes
  6. Congratulations on Thanksgiving
  7. Thanksgiving Day Card
  8. Thanksgiving Greeting Card
  9. Thanksgiving email Greetings
  10. Thanksgiving Greetings
  11. Thanksgiving Wishes
  12. Thanksgiving ecard
  13. Several combinations of 1-12

For security professionals, be on the lookout for the following:

  • MD5: 1c4d74c061556e04351c126f705cdcd9
  • SHA256: 9c82704271e8ac0306d06c2d737865b2a81249be9c8ac5dac8247b9fe71892c8
  • Jino.ru
  • poneytelecom.eu

EdgeWave blocked over 30,000 variants of this campaign between November 20th and 26th. But most importantly, we saw that many of these variants leveraged a version of this used over Independence Day in 2018. Our anlysts believe that these virus-laden greeting emails will also occur over the next few weeks using other Holiday themes.

This is a time of year users are especially pressed for time and distracted. Be sure to let all users know of the increased risk of this attack vector and the potential of others. It is also highly advised to use an automated anti-phishing solution like EdgeWave Postdelivery Detection solution ThreatTest to provide another vital layer in your email defense posture.