{"id":1048,"date":"2019-04-06T19:33:30","date_gmt":"2019-04-06T19:33:30","guid":{"rendered":"http:\/\/www.syyhoaxanalyzer.com\/?p=1048"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T17:00:00","slug":"Bogus-'Account-Compromised'-Email-Contains-Macro-Malware","status":"publish","type":"post","link":"https:\/\/www.syyhoaxanalyzer.com\/?p=1048","title":{"rendered":"Bogus &#8216;Account Compromised&#8217; Email Contains Macro Malware"},"content":{"rendered":"<div>\n<p><span style=\"color: #ff0000;\"><strong>Outline:<\/strong><\/span><br \/>\nEmail claims that a suspicious logon attempt to your account was detected and you should therefore open an attached \u00a0report \u00a0to view further details.<\/p>\n<p><span style=\"color: #ff0000;\"><strong>Brief Analysis:<\/strong><\/span><br \/>\nThe email is bogus. It is not from the company named as the sender and the &#8216;suspicious logon attempt&#8217; claim is just a trick designed to get you to open the attached \u00a0file.  \u00a0The attached .zip file harbours \u00a0a Microsoft Word document that contains a malicious macro. If allowed to run, the macro can download and install \u00a0malware.<\/p>\n<p><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Top Content Responsive --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"4870821038\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/p>\n<div class=\"example\"><span style=\"color: #ff0000;\"><b>Example:<\/b><\/span><br \/>\n<strong>Subject: Account Compromised<\/strong><\/p>\n<p>Attention!<br \/>\nSuspicious logon attempt to your account was detected (Chrome browser, IP-address: [removed])<br \/>\nReason: unusual IP<br \/>\nPlease refer to the attached report to view further detailed information.[Name of company removed]<br \/>\ntel. [removed]<em>Email has an attached file called &#8216;Security Notification.zip&#8217;. The .zip file contains a Microsoft Word file called &#8216;security_report[random numbers].doc&#8217;.<\/em><\/p>\n<\/div>\n<p><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HSNet Article Center --><br \/>\n<ins class=\"adsbygoogle\" style=\"display: block;\" data-ad-client=\"ca-pub-0355887770822260\" data-ad-slot=\"5727909035\" data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/p>\n<p><span style=\"color: #ff0000;\"><strong>Detailed Analysis:<\/strong><\/span><br \/>\nAccording to this email, which has the subject line &#8216;Account Compromised&#8217;, a &#8216;suspicious logon attempt&#8217; to your account has been \u00a0detected. The message lists the type of browser used in the login attempt as well as the supposed attacker&#8217;s IP address. It suggests that you refer to an attached report to access further information. The email also includes the name and phone number of the company that supposedly detected the compromise and sent the warning.<\/p>\n<p>However, the email is not a valid security warning and it was not sent by the company it mentions. Instead, the email is an attempt by criminals to trick you into allowing malware to be installed on your computer.<\/p>\n<p>If you open the attached \u00a0.zip file in the hope of reading more information about the supposed compromise, you will find that it contains a seemingly \u00a0innocuous Microsoft Word document. However, if you then attempt to open the Word document, you will receive a message stating that \u00a0you need to enable macros to view the contents. Alas, the macro is malicious and, if you enable macros as requested, it will download and install malware on your computer.<\/p>\n<p>The exact type of malware that is downloaded by the macro may vary. In some cases it may install malware that can steal sensitive information such as banking passwords from your computer. In other \u00a0cases it may install ransomware that can lock your computer&#8217;s files and then demand that you pay a ransom to online criminals to receive an unlock key.<\/p>\n<p>Details in these emails, including the name and number of the company that supposedly sent them and the listed browser and IP address may vary. Keep in mind that the companies listed as the senders in these emails are in no way responsible for the malware attacks. The criminals have \u00a0simply used these company names to make their messages appear legitimate.<\/p>\n<p>Macro malware attacks are increasingly common. Be wary of any email with an attachment that claims that you must enable macros to view the content.  \u00a0There is no reason why you should need to enable macros just to view an ordinary document such as an invoice or security report. Unless you have \u00a0a specific need to use macros and understand their \u00a0potential risks, you are best to leave macros disabled.<\/p>\n<p>If your unfamiliar with macros, you can <a title=\"Macro Virus Threat Returns - Beware Emails With Malicious Word Attachments\" href=\"http:\/\/www.hoax-slayer.com\/word-macro-malware-emails.shtml\">read more about them here<\/a>.<\/p>\n<p>\n<script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- Third Content Ad Responsive --><br \/>\n<ins class=\"adsbygoogle\"\n     style=\"display:block\"\n     data-ad-client=\"ca-pub-0355887770822260\"\n     data-ad-slot=\"1909104632\"\n     data-ad-format=\"auto\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/p>\n<div align=\"center\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js\"><\/script><br \/>\n<!-- HS Net Bottom AdLinks --><br \/>\n<ins class=\"adsbygoogle\" style=\"display: block;\" data-ad-client=\"ca-pub-0355887770822260\" data-ad-slot=\"1358951439\" data-ad-format=\"link\"><\/ins><br \/>\n<script>\n(adsbygoogle = window.adsbygoogle || []).push({});\n<\/script><\/div>\n<p>\n<a href=\"http:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6.jpg\" data-rel=\"penci-gallery-image-content\" ><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"1884\" data-permalink=\"https:\/\/www.hoax-slayer.net\/bogus-account-compromised-email-contains-macro-malware\/malware-bomb-screen-6\/\" data-orig-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6.jpg\" data-orig-size=\"800,713\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"malware-bomb-screen-6\" data-image-description=\"\" data-medium-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6-300x267.jpg\" data-large-file=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6.jpg\" class=\"aligncenter size-full wp-image-1884\" src=\"https:\/\/hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6.jpg\" alt=\"Malware\" width=\"800\" height=\"713\" srcset=\"https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6.jpg 800w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6-300x267.jpg 300w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6-768x684.jpg 768w, https:\/\/www.hoax-slayer.net\/wp-content\/uploads\/2016\/05\/malware-bomb-screen-6-224x200.jpg 224w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/a><\/p>\n<p class=\"date\">Last updated: May 25, 2016<br \/>\nFirst published: May 25, 2016<br \/>\nBy Brett M. Christensen<br \/>\n<a class=\"foot\" href=\"http:\/\/www.hoax-slayer.com\/about.shtml\">About Hoax-Slayer<\/a><\/p>\n<p class=\"ref\">References<br \/>\n<a title=\"Macro Virus Threat Returns - Beware Emails With Malicious Word Attachments\" href=\"http:\/\/www.hoax-slayer.com\/word-macro-malware-emails.shtml\">Macro Virus Threat Returns &#8211; Beware Emails With Malicious Word Attachments<\/a><br \/>\n<a title=\"Suspicious logon attempt or Account Compromised leads to Dridex\" href=\"https:\/\/myonlinesecurity.co.uk\/suspicious-logon-attempt-or-account-compromised-leads-to-dridex\/\">Suspicious logon attempt or Account Compromised leads to Dridex<\/a><br \/>\n<a title=\"Malware Threat Articles\" href=\"http:\/\/www.hoax-slayer.com\/malware-threat-articles.shtml\">Malware Threat Articles<\/a><\/p>\n<p>&nbsp;<\/p>\n<p><\/br><\/br> Original Source : <a href=\"https:\/\/www.hoax-slayer.net\/bogus-account-compromised-email-contains-macro-malware\/\" target=\"_blank\">https:\/\/www.hoax-slayer.net\/bogus-account-compromised-email-contains-macro-malware\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Outline: Email claims that a suspicious logon attempt to your account was detected and you should therefore open an attached \u00a0report \u00a0to view further details. Brief Analysis: The email is bogus. It is not from the company named as the sender and the &#8216;suspicious logon attempt&#8217; claim is just a trick designed to get you [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6890,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1048","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hoax-inggris"],"_links":{"self":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1048"}],"collection":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1048"}],"version-history":[{"count":0,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/posts\/1048\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=\/wp\/v2\/media\/6890"}],"wp:attachment":[{"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1048"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1048"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.syyhoaxanalyzer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1048"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}