Thought leadership. threat analysis, news and alerts.
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
Steve E. Driz, I.S.P., ITCP