The Well-Masked Email Attack You Might Not See Coming

With the influx of cyber attacks, many companies educate their employees on cybersecurity awareness. Most are trained to quickly identify the telling signs of a phishing email, such as:

  1. Never click on an unsolicited email from someone you don’t know.
  2. Look out for typos.
  3. Don’t click on attachments or embedded links from unknown senders.
  4. Be on alert if an email does not have a legitimate signature.

Hackers up their game as end users become privy to their deceptive tricks. Digital attackers are now using very shrewd techniques to prey upon their victims.

Commandeering On-going Email Conversations

Varying reports identify email as a leading vehicle for cyberattacks. PhishMe reported phishing emails are responsible for roughly 91% of cyberattacks. And, 9 out of 10 successful cyber attacks are traced to a phishing attempt. Verizon ‘s research states 92% of malware uses email as the delivery method.

Ursnif is one of the most prevalent email Trojans in the threat landscape. It is not new. It’s simply evolved. The recent success comes from well-played email delivery strategies, that make it difficult to identify. Ursnif shows up in a victim’s inbox as reply to a legitimate email string. Defenses are down when replying to an ongoing exchange from a perceived “known sender”. So, the “RE:” message sets the perfect stage for an attack.

There are other things that make this email tricky to spot. It DOES NOT contain any grammatical errors or spelling mistakes. It DOES use a signature.

6 Steps to Infection:

This type of email always contains an attachment. The attached file (Microsoft Word, Excel, PowerPoint, etc.) is password protected and encrypted. According to data from Cisco’s 2018 Annual Cyber Ssecurity Report, the most malicious file extension used by hackers in 2018 was Microsoft Office formats.

The message body contains the password to unlock the attachment. There are 6 steps involved with this type of attack. However, the victim only needs to complete the first 3 to result in infection:

  1. Download zipped file, enter password
  2. Open word doc
  3. Enable macros
  4. Download a file with .gas file extension
  5. Rename file to a random name with .exe extension
  6. Execute new .exe file sends http get request to (C&C server)

Ursnif infects the system as soon as the recipient double clicks the attachment.

Once infected, Ursnif will:

  1. Record keystrokes, opened programs, created files and data copied to the Windows clipboard
  2. Steal financial login details
  3. Randomly name all recorded data files and save them in the Temp folder as log files
  4. Extract and send log files (now archives) to a TOR server (under the malware developer’s control). This step ensures all further emails are sent to the compromised account.

How to spot a commandeered email:

Clearly, the campaign described above surpasses the sophistication of a typical phishing attack. But, it’s not without flaw. Here are some ways to spot the bogus reply:

  1. The message body is out of context with the other messages. It does not include a personal salutation, such as “Hello Bob.” Instead, it often starts with general verbiage, like “Good Afternoon”.
  2. The password needed to open the attachment is listed in the body of the email.
  3. The email signature often looks different than earlier messages.
  4. The attack email is written in English, even if previous responses are in other languages.

So, how did they hijack the email in the first place?

Chances are, the email account was already compromised. This most likely happened using social engineering, cracking, password breaches or PII (personally identifiable information), like the Equifax breach. The attacker simply waited for the perfect opportunity to usurp.

Many folks don’t realize the wealth of information available on United States citizens. In January 2019 alone, exactly 1,769,185,063 user records were leaked. That leaked information is often enough to answer password reset questions.

Hacking is a serious business and much more dangerous than the general public realizes. Cybersecurity Ventures research indicates cyber crime is more profitable than the global illegal drug trade. And, consumer accounts are purchased on the dark market for as little as $1. The profit from the illegal drug industry amounts to around $400 billion annually. For comparison, cyber criminals were recorded to have earned roughly $600 billion in 2018!

Hackers use multiple data breaches and create data tables to track and compare information. They seek to find email addresses, names and social security numbers. They also look for previous addresses, aliases, health information, voting preferences and more. The data tables highlight information commonalities. From this they find out even more information or draw conclusions. For example, a victim’s address, place of business, type of insurance and credit score could allow a hacker to accurately estimate their target’s income.

Face the giant

Are you ready to waive the white flag? Or, did you conclude an effective cybersecurity solution is simply out of reach? In reality, doing too little or nothing at all fuels the fire!

There are many theories as to what will decrease hacker’s stronghold. No one person or business can bring down this giant. But, collectively, all businesses can do their part to devalue the business of hacking. The more you know the more you can conquer. Business that prioritize security make hacking more difficult and less financially feasible.

No business can be bulletproof. Adding multiple layers of security and regularly educating employees makes your business less attractive to a hacker. Consider this: We’ve mentioned phishing emails are responsible for roughly 91% of cyber attacks. Imagine the impact of cutting that percentage in half. Omega Systems seeks to educate our customers with on-going security strategies. This is our way of protecting our clients and minimizing overall risk.


A Ursnif infection is a serious problem. IT is more dangerous than the average United States citizen realizes. Classified information and privileges are disclosed to a hackers all day, every day.

Omega Systems wants everyone to remain alert to ALL emails. And, we encourage employers to educate employees with current cybersecurity awareness training. We urge our clients to be cautious of emails with attachments and passwords in the same email. If you suspect a bogus email – Don’t open it! Rather, contact your IT support team immediately.

If you do fall prey to this infection, you are not alone. Omega Systems cybersecurity team is ready to identify and eradicate all fallout.

By |2020-03-15T19:06:26-04:00September 19th, 2019|Cybersecurity, Omega Systems|Comments Off on The Well-Masked Email Attack You Might Not See Coming