Phishing with fake invoices: Hijacked mail logins are used for new phishing attacks
Cyber criminals are currently using phishing to spread a malware called Strela Stealer via German-language emails. Strela Stealer harvests login data from Outlook and Thunderbird accounts. The criminals then use originally legitimate emails containing invoices, which they forward and send to their victims. These victims then receive what appear at first glance to be identical emails, with only the recipient address and the attachment having been changed. Instead of the invoice, the criminals send .zip files with the same name that contain malware. Our data based on the meta information collected in 32Guards shows the approach of the spammers as well as the distinctive features of phishing emails – and how you can protect your email address from misuse.
Beware of unexpected invoices in a business context
Since October 2024, phishing emails with legitimate sender addresses have been spreading in large quantities. Invoices are particularly frequently used as an attachment, with this attachment being attached as a .zip file with the same name. However, what would be quickly noticed in other circumstances is lost in the flood of working day spam.
Nevertheless, the combination of the word ‘invoice’ and an unknown sender in a business environment harbours the risk of attachments being opened carelessly, as many employees regularly receive invoices from unknown sources.
This risk increases further because invoices offer attackers a high success rate due to their urgency and structure. Around 43% of emails contain the word ‘invoice’ in the file name, and in 95% of cases an ‘R’ appears together with a number – indicating a deliberate tactic by the attackers to increase the credibility of the email. This is precisely why it is crucial to exercise particular caution with unexpected attachments and to carry out thorough checks before opening files.
Attackers rely on automation to send a large volume of emails efficiently. Since mid-October, we have been able to track a significant number of emails with suspicious attachments. Interestingly, the sending times are concentrated in the typical working hours during the week. At weekends and at night, the volume of phishing drops significantly. This is reminiscent of the so-called ‘working day spammers’ and shows a professional approach in which details such as the time of dispatch are integrated into the automated processes in order to deceive attentive recipients.
The heatmap above shows the number of phishing emails sent from our 32Guards customer base. The darker the colour, the more emails were sent in this time frame. The x-axis shows the time of day, while the y-axis shows the days of the week. It can be clearly seen that most phishing emails were sent on Thursdays at 2 pm, while the lowest number of phishing emails were sent at the weekend, especially at night.
The (corrected) anomalies of the attachments
During spam detection by NoSpamProxy, 32Guards thoroughly analyses the metadata of attached archives, such as .zip files, in order to identify conspicuous patterns. In the first analysis phase, 32Guards primarily categorises suspicious file types. In the current case, the .zip archives contained JavaScript files with the extension .js, in which the malware was hidden. As JavaScript files are on the list of blocked file types in Outlook, for example, they could be considered particularly suspicious. However, a conspicuous file type alone is not a clear indication of criminal activity.
Another conspicuous feature was the unusual size of the packaged invoices and JavaScript files, which reached a size of up to 5 MB. However, these conspicuously large files have not been observed since the beginning of December. Instead, the attackers are now focussing on much smaller and more common file sizes, which makes detection more difficult.
The figure shows the time course from October to January on the x-axis and the size of the malware attachments sent on the y-axis. The colour highlights the size category of the attached JavaScript files. The malware, which was initially packaged in huge JavaScript files, has now found a place in smaller JavaScript files.
New phishing emails are sent in waves
The spammers’ approach of sending masses of attachments with the same name allows us to date different waves of spam based on the first appearance of a specific file name. It becomes clear that within the recipients from the NoSpamProxy customer base, stolen emails are sent in waves of varying duration and with different numbers of recipients per email.
The graph shows the time at which a file was first seen on the x-axis and the number of phishing recipients per unique attachment name (dots) on the y-axis. The colouring indicates the duration for which the corresponding attachment name was observed. The accumulation of new observed file names at certain times, here at the end of October, beginning of November and beginning of December, reveals when the spammers have prepared a new wave of stolen emails. The reduction in the number of recipients per new email from October to November could indicate an adjustment aimed at circumventing mechanisms that use frequency analyses for spam detection.
Analysing the size of the packed JavaScript files and the adjustment of the sending time and volume in the new spam waves indicates an increasingly sophisticated tactic that suggests a high degree of professionalism. This assumption is further supported by analysing the IP addresses from which the emails are sent. A visualisation of these IP addresses shows the typical characteristics of an internationally operating botnet, which is also confirmed by other technical analyses of the malware sent.
A correctly set SPF entry can protect your email from misuse
The large number of ‘incorrectly’ set SPF records has attracted attention in the context of spam detection. An SPF record is a special DNS record that specifies which servers are authorised to send emails on behalf of a particular domain. When an email is sent, the receiving server can check the SPF record to ensure that the email actually comes from an authorised sender. If this is not the case, the email can be categorised as suspicious or rejected. In around 96% of the cases of phishing attempts, an SPF entry with ‘+all’ at the end was set for the sender’s domain. This allows all IP addresses to send emails in the name of the registered domain. If you want to prevent your own domain from being misused for sending phishing emails, you should ensure that the SPF entry is correct.
Summary and protective measures
The recurring wave of spam shows how important it is to watch out for suspicious emails and attachments. Organisations and individuals should regularly review their email security policies and ensure that the right filters are in place to block malicious files.
Another important protection mechanism is to train employees in the handling of emails, especially in terms of recognising phishing attempts and suspicious attachments. However, the example above shows that detection with the naked eye becomes more difficult.
We therefore recommend the following additional measures:
Recommended protective measures
In addition, we recommend further protective measures that you can implement with Microsoft solutions.
Not yet using NoSpamProxy with 32Guards?
With NoSpamProxy you can reliably protect your company from cyber attacks. Request your free trial version now!
