In 2015, we saw malicious Microsoft Office macros return with a vengeance, delivering a plethora of threats ranging from ransomware to banking Trojans. Now, we’ve found cybercriminals incorporating macros into phishing attacks to steal your information through email. The campaign delivered several thousand German-language phishing emails with Excel attachments containing the macros.
Phishing with macros
In the German-language phishing campaign, the attackers sent out emails with Excel file attachments. The messages claim to come from a German bank and the subject of these emails included:
- Neue Sicherheitsrichtlinien
- Bitte aktualisieren Sie Ihre Daten
In English, the subjects translate to:
- New Security Policy
- Security Policy
- Please update your information
- Customer data
Figure 1. Phishing email with Excel attachment containing malicious macro.
The English translation, courtesy of Bing Translator, is as follows:
“Dear [GERMAN BANK] customer,
We always strive to keep your security at the highest level.
We have recently improved our security system and optimized to better protect you from fraud.
Due through the new security policy we ask you, your data, and your mobile phone number to update and customize your account to the new standards.
If no updating on your part is done in 48 hours, we charge a processing fee of EUR 23.99. The amount will be automatically deducted from your account and you will receive the writing within a few days by post.
Please open the Excel file in the annex of the mail and fill out the form. Then click "Remember me", thus, the data are automatically sent to the Bank.
Note: Macros must these be enabled.
With kind regards”
The phishing email message specifically asks the user to enable macros, as Microsoft disables them in their software by default for security reasons.
When the Excel attachment is opened, it asks the user to provide sensitive details relating to their bank account. The requested information includes the person’s name, date of birth, phone number, bank account details, PIN number, identity card number, and payment card details.
Figure 2. Phishing Excel file containing malicious macro
When the user clicks on the ‘Daten speichern’ button, the Excel file’s malicious macro sends the personal details to an email address under the attacker’s control, which in this case is Umeda[@]jdp-co.jp.
Users should adhere to the following advice to avoid falling for this phishing campaign:
- Avoid enabling macros in Microsoft Office documents, especially if you’re not sure of the source of the file
- Be suspicious and think before you click—never view, open, or execute any email attachment unless you expect it and trust the sender
- Never disclose any confidential personal or financial information unless and until you can confirm that the request for the details is legitimate. Reputable institutions don’t ask users to submit personal information through Excel files with macros
- If you’re about to enter personal or financial details online, look for visual cues that identify safe websites. Scan the web page for a trust mark, such as the Norton Secured Seal
- Review your bank, credit card, and credit information frequently for irregular activity
- Always be sure that your operating system is up-to-date with the latest updates, and employ a comprehensive security suite
Customers of Symantec Email Security.cloud are protected against these phishing messages. Symantec and Norton products detect the Excel file’s malicious macro as Infostealer.