{"id":1007,"date":"2019-04-06T19:33:30","date_gmt":"2019-04-06T19:33:30","guid":{"rendered":"http:\/\/www.syyhoaxanalyzer.com\/?p=1007"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T17:00:00","slug":"Beware-Emails-With-Subject-Lines-Containing-Numbers,-Letters-and-Image-File-Extensions","status":"publish","type":"post","link":"https:\/\/www.syyhoaxanalyzer.com\/?p=1007","title":{"rendered":"Beware Emails With Subject Lines Containing Numbers, Letters and Image File Extensions"},"content":{"rendered":"<div>\n<p><span style=\"color: #ff0000;\"><strong>Outline:<\/strong><\/span><br \/>\nEmails with no body text and subject lines containing a string of letters and numbers and image file extensions such as .jpg or .tiff are currently hitting inboxes. \u00a0The emails contain attachments with the same names and \u00a0image file extensions that are featured in the subject lines.<\/p>\n<p><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Top Content Responsive --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"4870821038\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><br \/>\n<span style=\"color: #ff0000;\"><strong>Brief Analysis:<\/strong><\/span><br \/>\n<!-- HS Net Top Content Responsive -->The attachments contain malicious JavaScript files that, if opened, can download and install Locky ransomware. Once installed, Locky encrypts the files on your computer and then demands that you pay a fee to receive a decryption key.<\/p>\n<div class=\"example\">\n<p><span style=\"color: #ff0000;\"><b>Example:<\/b><\/span><\/p>\n<p><a href=\"http:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1.jpg\" data-rel=\"penci-gallery-image-content\"  rel=\"attachment wp-att-1447\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"1447\" data-permalink=\"https:\/\/www.hoax-slayer.net\/beware-emails-with-subject-lines-containing-numbers-letters-and-image-file-extensions\/locky-image-malware-1\/\" data-orig-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1.jpg\" data-orig-size=\"800,470\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"locky-image-malware-1\" data-image-description=\"\" data-medium-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1-300x176.jpg\" data-large-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1.jpg\" class=\"aligncenter size-full wp-image-1447\" src=\"https:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1.jpg\" alt=\"Locky Image Malware Emails\" width=\"800\" height=\"470\" srcset=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1.jpg 800w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1-300x176.jpg 300w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-image-malware-1-768x451.jpg 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<\/div>\n<p><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HSNet Article Center --><br \/>\n<ins class=\"adsbygoogle\" style=\"display: block;\" data-ad-client=\"ca-pub-0355887770822260\" data-ad-slot=\"5727909035\" data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/p>\n<p>\n<span style=\"color: #ff0000;\"><strong>Detailed Analysis:<\/strong><\/span><br \/>\nSometimes, very simple social engineering tricks can be quite effective. In this malware campaign, the malicious emails have no content in the body, but are designed to give the impression that the attachment that comes with the emails contains a harmless image file.<\/p>\n<p>The subject lines of the emails often feature the letters CCE along with a \u00a0 \u00a0string of \u00a0numbers followed by an image file extension such as .jpg, .gif, or .tiff.  \u00a0Over the last few days, we&#8217;ve received emails with the subject lines \u00a0 &#8216;CCE29032016_00084.tiff&#8217;, &#8216;CCE29032016_00021.gif&#8217;, &#8216;CCE29032016_00026.jpg&#8217;, and dozens of others. The emails usually include the notice &#8216;Sent from my iPhone&#8217; in the footer.<\/p>\n<p>The emails have attachments with the \u00a0same names and image file extensions as shown in the subject lines. However, the attachments actually have double extensions such as .jpg.zip or .tiff.rar. Windows users who have \u00a0<a title=\"How to show or hide file extensions in Windows\" href=\"http:\/\/www.pcadvisor.co.uk\/how-to\/software\/how-show-or-hide-file-extensions-3341794\/\">file extensions hidden<\/a> will only see  \u00a0&#8216;.jpg&#8217; or &#8216;.tiff&#8217; and may therefore assume that the attachments just \u00a0contain images.<\/p>\n<p>If you do get tricked by this simple ruse and open the attachment, you will find that it is a compressed file that harbours a malicious JavaScript (.js) file. If you then proceed to click this .js file, the JavaScript will connect to a remote server and download and install <a title=\"\u00e2\u20ac\u0153Locky\" ransomware \u00e2\u20ac\u201c what you need to know\" href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">Locky ransomware<\/a>. Once installed, this malware will encrypt the files on your computer and rename them with the file extension &#8216;.locky&#8217;. A popup window will then inform you that you must pay a ransom to get the decryption key to unlock \u00a0your files.<\/p>\n<p>Unfortunately, there \u00a0is no easy way to get rid of this malware and recover your files.  \u00a0If you have \u00a0recent, off-computer backups, you should be able to recover your files from the backups. Without backups, however, it may be impossible to unlock your files unless you pay the ransom demanded by the criminals. If you do pay, you MAY receive the promised decryption key. However, given that you will be dealing with anonymous criminals, there is certainly no guarantee \u00a0that you will ever receive the key.<\/p>\n<p>Note that some versions \u00a0of these emails may omit the file extension from the subject line and just have the letters and numbers. And, the letters, numbers, and file extensions may vary considerably in different versions.  \u00a0There are also \u00a0many other Locky ransomware \u00a0emails currently being distributed. Check the reference list below for reports on other Locky campaigns.<\/p>\n<p>\n<script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- Third Content Ad Responsive --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"1909104632\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/p>\n<div align=\"center\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Bottom AdLinks --><br \/>\n<ins class=\"adsbygoogle\" style=\"display: block;\" data-ad-client=\"ca-pub-0355887770822260\" data-ad-slot=\"1358951439\" data-ad-format=\"link\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div>\n<p>\n<a href=\"http:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6.jpg\" data-rel=\"penci-gallery-image-content\"  rel=\"attachment wp-att-1435\"><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"1435\" data-permalink=\"https:\/\/www.hoax-slayer.net\/beware-emails-with-subject-lines-containing-numbers-letters-and-image-file-extensions\/locky-ransomware-6\/\" data-orig-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6.jpg\" data-orig-size=\"800,565\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"locky-ransomware-6\" data-image-description=\"\" data-medium-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6-300x212.jpg\" data-large-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6.jpg\" class=\"aligncenter size-full wp-image-1435\" src=\"https:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6.jpg\" alt=\"Locky Ransome Ware\" width=\"800\" height=\"565\" srcset=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6.jpg 800w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6-300x212.jpg 300w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6-768x542.jpg 768w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/03\/locky-ransomware-6-283x200.jpg 283w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<p class=\"date\">Last updated: \u00a0March 31, 2016<br \/>\nFirst published: \u00a0March 31, 2016<br \/>\nBy Brett M. Christensen<br \/>\n<a class=\"foot\" href=\"http:\/\/www.hoax-slayer.com\/about.shtml\">About Hoax-Slayer<\/a><\/p>\n<p class=\"ref\">References<br \/>\n<a title=\"'Payment Declined' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/payment-declined-emails-contain-locky-ransomware\/\">&#8216;Payment Declined&#8217; Emails Contain Locky Ransomware<\/a><br \/>\n<a title=\"Bogus 'Payment Accepted' Email Carries Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/bogus-payment-accepted-email-carries-locky-ransomware\/\">Bogus &#8216;Payment Accepted&#8217; Email Carries Locky Ransomware<\/a><br \/>\n<a title=\"Fake 'Order Status' Emails Contain Locky Malware\" href=\"http:\/\/hoax-slayer.net\/fake-order-status-emails-contain-locky-malware\/\">Fake &#8216;Order Status&#8217; Emails Contain Locky Malware<\/a><br \/>\n<a title=\"'Received Documents From Your Bank' Emails Contain Locky Ransomware\" href=\"http:\/\/hoax-slayer.net\/received-documents-from-your-bank-emails-contain-locky-ransomware\/\">&#8216;Received Documents From Your Bank&#8217; Emails Contain Locky Ransomware<\/a><br \/>\n<a title=\"\u00e2\u20ac\u0153Locky\" ransomware \u00e2\u20ac\u201c what you need to know\" href=\"https:\/\/nakedsecurity.sophos.com\/2016\/02\/17\/locky-ransomware-what-you-need-to-know\/\">\u00e2\u20ac\u0153Locky&#8221; ransomware \u00e2\u20ac\u201c what you need to know<\/a><br \/>\n<a title=\"How to show or hide file extensions in Windows\" href=\"http:\/\/www.pcadvisor.co.uk\/how-to\/software\/how-show-or-hide-file-extensions-3341794\/\">How to show or hide file extensions in Windows<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><\/br><\/br> Original Source : <a href=\"https:\/\/www.hoax-slayer.net\/beware-emails-with-subject-lines-containing-numbers-letters-and-image-file-extensions\/\" target=\"_blank\">https:\/\/www.hoax-slayer.net\/beware-emails-with-subject-lines-containing-numbers-letters-and-image-file-extensions\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Outline: Emails with no body text and subject lines containing a string of letters and numbers and image file extensions such as .jpg or .tiff are currently hitting inboxes. \u00a0The emails contain attachments with the same names and \u00a0image file extensions that are featured in the subject lines. Brief Analysis: The attachments contain malicious JavaScript [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6890,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1007","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hoax-inggris"],"_links":{"self":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1007"}],"collection":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1007"}],"version-history":[{"count":0,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1007\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/media\/6890"}],"wp:attachment":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}