Published on: August 31, 2019
BY STEWART CONTENT TEAM
Today I want to talk about a “gift” that keeps on giving. Your favorite Security team discovered a new attack vector that we haven't seen before. Let's call it "a blast from the past." In this particular example, the story begins in our Hempstead, TX office at the end of December 2018. Nothing out of the ordinary, just regular communications between escrow, buyer, and the bank. The thread ends on December 27, 2018, with the last words from our escrow offices stating that she hasn't received a final payoff statement. She gets a response on July 18, 2019.
I am sure this deal was closed back in 2018, yet the hacker still lives in the buyer's email and decides to take another shot. I did share with you before a technique where the attacker simulates the phishing email as a reply or forward of another message you never received. The intent is to create a sense of urgency for a potential missed request. This one is different.
The email from the buyer contained an attached Captain_Motorcars.zip file with the password inside the email (red flag No. 1). Inside the zip file, there was an info_07_18.doc file containing macros that launches Windows internal command-line utility and download malware from the server located in Russia. This was a 100% malicious attempt. Fortunately, our escrow officer was vigilant and forwarded the email to the Security team. She saved the day. Good job.
Think before you click.