Kaseya Fake Invoice Malware Attack Underlines Need for Stricter Email Security
Original blog post at: MSP Blog
This weekend, news broke that malicious emails requesting payment for licenses were sent in remote management company, Kaseya's, name. This latest security headline is just one of many instances of malware launched through an email phishing scheme. The hackers, who haven't yet been identified, reportedly sent an email with a fake invoice attachment, which once opened, compromises the recipient's device with malware capable of stealing sensitive company data. If you've not yet heard of this latest hack sending tidal waves through the channel, let it serve as a warning. All employees and clients must screen any emails requesting payment for services, even those from a trusted name or company they do business with.
The Kaseya Email Attack Explained
On Saturday, January 16, Channelnomics reporter, Sam Trendall, exposed the false Kaseya email that landed in her inbox. According to her account, the email's subject is titled Kaseya Invoice with a random customer reference number to fake authenticity. Keeping up the rouse, the message is directed at the recipient company's Accounts Payable department, as shown in this screenshot provided by My Online Security:
The fake invoice with payment details is attached to the email in both a Microsoft Word document and Microsoft Excel XLS spreadsheet version. Once downloaded, malware such as Trojans, password stealers and ransomware infect the user's system.
It is worth noting that in each of these email impersonation attacks, the companies or individuals who've had their names used have not been hacked themselves. Unless their email servers have been compromised or some other vulnerability is exploited, they are not to blame for phishing attempts based on mimicry.
With that in mind, understand that hackers can make it look like any company is sending you a legitimate request, not just Kaseya. In case this latest attack signals a new trend in targeting companies in the IT services space, we advise you to be especially suspicious of invoice emails sent from any vendors within the channel, including those which may appear to come from Continuum.
If you do receive a phishing email like the one from Kaseya that's circulating, do not click into it or attempt to contact the sender. Along with other Microsoft Office tips like ensuring your programs are up-to-date, My Online Security reminds us that "if protected view mode is turned off and macros are enabled then opening this malicious document will infect you, and simply previewing it in Windows Explorer or your email client might well be enough to infect you." Besides disabling edit mode and macros to protect against this or future malware attempts, above all never open any attachment in an email you aren't expecting or aren't sure is legitimate. Pro tip: files ending in .exe, .com, .pif, .scr or .js should never be clicked or downloaded. These are indicators of malicious intent.
Thanks to social engineering, however, judging email legitimacy isn't always easy. Let's take a look at some of the tactics employed in the fake email above.
The attacker appears legitimate by addressing Accounts Payable rather than a random individual at the company. Knowing that this is the department that typically processes invoice payment, the scheme crafters hope to gain trust. Similarly, the Kaseya customer service department email address, [email protected] is believable, as the tail duplicates the company's name and the "cs" could be an abbreviation for customer service. A popular social engineering trick, attackers often manipulate account information to only subtly differ from the original. Additionally, pay attention to the email signature. By including one, the message seems to be sent from a professional account. Also, the email address listed matches the sender's address, which makes it easier for recipients to mistakenly trust.
As a sanity check, create a list of all your vendors, when they typically invoice you, which addresses the emails come from and the follow-up contact information detailed in the body of the email. Then, each new time you receive an email requesting payment, cross-reference it with this list to make sure it's legitimate.
For a closer examination of the process of email phishing, and common occurrences of it, check out this guest blog post about the current state of encrypting ransomware, written by our friends over at Webroot. What other best practices and tips can you share with your employees and clients to avoid additional malware cases? Check out our related material:
And don't forget to stay up-to-date with the latest threats and patches! We compiled key updates from last month to give you an idea of what to look out for and help you stay ahead of the malware curve:
This is just one more reason email needs to die!
I know we need anonymous ways to communicate over the internet, but we also need ways to protect ourselves better.