Phishing Attack Uses Legal Threats - May 2019

On or around May 12 this year, at least two antivirus firms began detecting booby-trapped Microsoft Word files that were sent along with some variation of the following message:

{Pullman & Assoc. | Wiseman & Assoc.| Steinburg & Assoc. | Swartz & Assoc. | Quartermain & Assoc.} <>


The following {e-mail | mail} is to advise you that you are being charged by the city.
Our {legal team | legal council | legal departement} has prepared a document explaining the {litigation | legal dispute | legal contset}.
Please download and read the attached encrypted document carefully.
You have 7 days to reply to this e-mail or we will be forced to step forward with this action.
Note: The password for the document is 123456

The template was part of a phishing kit being traded on the underground, and the user of this kit decides which of the options in brackets actually get used in the phishing message.

Yes, the spelling/grammar is poor and awkward, but so is the overall antivirus detection rate of the attached malicious Word document. This phishing kit included five booby-trapped Microsoft Word documents to choose from, and none of those files are detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22 — 10 days after they were spammed out.

According to both Fortinet and Sophos, the attached Word documents include a Trojan that is typically used to drop additional malware on the victim’s computer. Previous detentions of this Trojan have been associated with ransomware, but the attackers in this case can use the Trojan to install malware of their choice.

Also part of the phishing kit was a text document containing some 100,000 business email addresses — most of them ending in Canadian (.ca) domains — although there were also some targets at companies in the northeastern United States. If only a tiny fraction of the recipients of this scam were unwary enough to open the attachment, it would still be a nice payday for the phishers.

The law firm domain spoofed in this scam — — now redirects to the Web site for RWC LLC, a legitimate firm based in Connecticut. A woman who answered the phone at RWC said someone had recently called to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

As phishing kits go, this one is pretty basic and not terribly customised or convincing. 

Never open attachments in emails you were not expecting. When in doubt, toss it out. If you’re worried it may be legitimate, research the purported sender(s) and call them, resist the urge to respond to these spammers; doing so may only serve to encourage further “malicious” correspondence.

Employees Don’t Take USB Security Seriously, Putting Businesses at Risk

USB devices continue to be a necessity for employees, and an entry point for attackers, to  insecure medium to connect the two, spelling trouble for Businesses.

Cyber criminals are looking for any way to access your businesses endpoint that will allow them to infect a device with malware, Trojans, or ransomware. USB devices remain a viable target for cyber criminals:

    • Employees are driving USB adoption – according to the report, 87% of business use USB devices and 68% of those stated employee choice was the reason.
    • Employees are working around IT – While nearly two-thirds of businesses have acceptable use policies around USB devices, 64% say employees use USB devices without prior permission.
    • Employees are laps regarding data protection – Almost half (48%) of employees have lost a USB device and not reported it to IT, and 58% use non-encrypted USB devices obtained from conferences and other sources.

With so much focus on cyber threats coming in via email and the web, Businesses often overlook USB devices as a means for an attacker to inject malware into their Business.

Users need to be educated on the dangers of USB device use and the impact an attack can have on the Business. Security Awareness Training includes education on the need for a security-centric mindset at work, as well as on proper USB etiquette.

Many Small Businesses (SMBs) Will Pay the Ransom in a Ransomware Attack

Despite the ability to properly protect against ransomware attacks, the latest data from AppRiver shows SMBs simply are not prepared to respond, and will, instead, pay the ransom.

Ransomware are increasing at an alarming rate and, SMBs simply are not prepared. According to AppRiver’s 2019 Cyberthreat Index for Business Survey Report, three-quarters of SMBs believe a successful attack would be harmful to their business with only 36% believing they can actually survive a successful attack without sustaining short- or long-term business losses.

And rather than prepare with a strong defence and response plan, the data shows the cyber criminals have the upper hand:

  • 55% of all SMBs state they are willing to pay the ransom to recover encrypted data or to prevent it from being shared​
  • Of larger SMB’s with 150-250 employees, 74% are willing to pay ransom with 39% of larger SMBs saying they “definitely would pay ransom at almost any price”

Of the 45% of SMBs stating they were unwilling to pay ransoms, legal, healthcare, and nonprofit industries topped the list.

The AppRiver data shows that, despite the availability of solutions to protect, detect, and re mediate ransomware attacks, SMBs simply are not ready. Instead, SMBs should arm themselves with a simple, yet effective, strategy:

  • Backup  – having backed up copies of any impacted data nullifies the need to pay the ransom.
  • Protect  – Put email and web scanning in place, along with endpoint protection to keep malware from getting to the user.
  • Train – Educate users with Security Awareness Training to ensure, the user interact with malicious content in email or on the web, they are more likely to spot it and not be the next victim of a ransomware attack.