German Job Center data-mined for targeted malware attacks

The customer added a job description to the German Job Center portal in which her company offered a new job opportunity. Some days later, she received the following application e-mail through the Job Center.

email

“I was kind of unsure whether I could trust this sender,” she told us. That’s why she decided to report this issue to the Avira VirusLabs.

We believe that cybercriminals are sending crawlers through this portal to scrape up the email addresses entered by users and then use said data to create personalized emails like the one we received. Without a direct analysis of their site, we can’t be more specific though.

“We have the means to check potential threats without any consequences”, says Avira expert Alexander Vukcevic

Tweet

The analysis confirmed that the doubts from the Avira customer were well founded. If you follow the Dropbox URL at the end of the email, you will be re-directed to the place where the malware is just waiting for you.

dropbox

The file, called “Bewerbung.PDF.exe” has a fake archive icon. It is supposed to make the victims believe that the file is a job application created as a PDF document and then packed into an archive. This makes sense, because a lot of job applications are being sent as archives to human resource departments.

But just the mere file extension *.exe should attract the user’s attention and make him realize that it cannot be a real job application.

Once executed, you will quickly realize that this file is a ransomware!

lock

This kind of malware encrypts all personal files on your computer. The generated private PGP key will be stored on the ransomware’s Command and Control Server, which makes a decryption of the files as good as impossible; the encryption algorithm is too strong to crack without the private key. So the users will receive a ransom demand from the criminals who will most likely ask for Bitcoins in order to decrypt the files. Just recently the FBI department has recommended to pay the ransom. We, as security company, cannot support this advice.

An interesting magazine article from me was published some time ago, concerning the evolution of ransomware. If you want to find out more about the topic you can find it here: http://www.chip.de/artikel/BKA-Trojaner-Bundestrojaner-Co.-Das-ist-Ransomware-und-das-koennen-Sie-tun_84088225.html

What recommendations do I have for you?

  • Never open attachments in emails where you don’t know the sender or the message doesn’t match what the sender would normally write!
  • Don’t download files from suspicious or non-trusted sources!
  • Create regular backups of your PC.
  • Updates for operating system and application are vitamins for your computer
  • Make sure you are using the latest version of Avira and make sure that the latest virus definition files are installed

And what can we do?

We protect you! This also means that in this case we could protect our customer from this threat due to our Avira Protection Cloud. Also, we have an intelligent realtime-classification system that makes us able to deliver the detection pattern directly back to the victim’s computer.

This post is also available in: GermanItalian

Team Leader Virus Lab Disinfection Service