Don't play voicemail messages from suspicious sources.Image credit: SANS ISC.
The search for new methods to trick victims into running a ransomware program has turned to recorded voicemail notifications in email.
Ransomware spruikers commonly use bogus invoice attachments and fake messages from the accounts department to hold victims’ data hostage until they pay a ransom in Bitcoin. Some ransomware variants, such as the lucrative Cerber operation, have even experimented with text-to-speech synthesisers to encourage victims to pay up.
But a new ruse by criminals is ransomware-rigged voicemail notifications, which appear to target Microsoft Outlook users, according to the SANS Internet Storm Center.
The attack email arrives with an attachment, which supposedly contains a voice message, in a .wav file compressed in .zip folder. The folder actually contains hidden malicious code that will install ransomware labeled by some antivirus vendors as Nemucod, which renames files to (original file name).crypted.
The delivery mechanism may be exploiting the fact that missed call notification emails are enabled by default in Microsoft Outlook.
So why use bogus voicemail notifications? SANS ISC handler and independent security consultant Xavier Mertens speculates that attackers are catering to consumers and employees who don’t commonly interact with the usual bait, such as bogus billing reminders.
“Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications,” wrote Mertens.
Indeed, consumers appear to be the first target of this email spam campaign According to Mertens, a “wave” of attack email he discovered purported to contain a voice message regarding a modem from Vigor, a UK distributor of ADSL modems for the residential market.
One person who reported receiving the same email on Tuesday attempted to open the email in Mozilla’s Thunderbird client on a Linux machine, which he believes saved him from being infected.