Ransomware That Steals Email Accounts Is Spreading Through Fake Electricity Bills

There is a ransomware going around that is spreading through emails posing as AGL electricity bills. Not only is it able to hold files to ransom, it also installs key logging software on compromised PCs in order to steal email account details. Attackers can then use those email accounts to spread the ransomware further. Here's what you need to know.

The ransomware was detected by security vendor Check Point's Incident Response Team. Dodgy emails purporting to be from electricity company AGL contains links that redirect users to a website where the ransomware is downloaded. It appears to be targeting Windows PCs only.

According to Check Point:

"The fake page looks realistic and contains a captcha that users need to complete. If a user tries to visit this page via a mobile device or Apple Mac it will give them an error message saying they need to access it from a Microsoft Windows computer. This results in a number of users forwarding it to their corporate e-mail."

The Check Point team recommends that organisations start inspecting HTTPS traffic and employ sandboxing that can hold and prevent the initial file as a starting point to ward off this ransomware attack. Companies should also use whitelisting and perform scrubbing on incoming documents, the team said.


Comments

    " If a user tries to visit this page via a mobile device or Apple Mac it will give them an error message saying they need to access it from a Microsoft Windows computer"

    This in of itself should give you a red flag because of a) no site will tell you to view them on a specific OS and machine. This instruction alone is fishy enough. b) the website is outdated and thus cannot be viewed in a mobile. Websites without a responsive design give someone the feel that they are not up to date and must not have the basic protections for their site to fall prey to ransomware or other vulnerabilities.

    Make sure you have an anti-virus that is working and up to date, as well as a system restore software like Rollback Rx or Comodo to reverse any changes made by the ransomware.

      Doesn't matter how good your anti virus is, that's the reason so many people got infected with this specific crytpo.
      Although those programs MAY work there is also a high chance they wont. Only real solution to these viruses once infection hits is restoring from a proper backup. Once infected I wouldn't trust the PC unless it is re imaged

    Sad thing....this was posted yesterday.
    The fake website was already closed down by then.

    This results in a number of users forwarding it to their corporate e-mail.”

    We are creatures of habit and familiarity too.
    Yet something out of the norm triggers curiosity, and funny enough, some purposely will circumvent/bypass roadblocks to pursue their interests.

    If one gets an email purporting to be from someone/thing, ask yourself; Do I have any business or know the sender?

    I can't fathom why people follow up on such scams or correspondences to begin with.

    Even if you're a subscriber of the purporting sender, ask another question; Does the correspondence look/appears to be different?

    Companies usually have an explaination if processes/procedures change.
    If you're unaware or have doubt, contact them directly.

    Granted, your endpoint security is important, but common sense is more valuble tool to mitigate against these sorts of scams.

    Last edited 05/06/16 8:07 am

Join the discussion!

Trending Stories Right Now