Reprinted from KnowBe4
Here’s a current scam those involved in shipping and receiving should be aware of. Suppose you’re expecting a package from a major package delivery company. You receive a seemingly legitimate email from the shipping company offering a means to track the progress of your delivery by simply clicking on the supplied link “Arrival Notification.” The only problem is, as a result of the Microsoft default being set to hide file extensions; you don’t see the full file name “Arrival Notification .exe.”
You click on the file to check on your delivery but instead, you unleash an unwanted package, an executable file that compromises your computer with a seemingly innocent animated gif.
The scheme involves using Agent Tesla, a modern and powerful keystroke logger known to be used in malicious spam that pushes malware. This software monitors every move on your personal computer by way of the keyboard and monitor. Your computer now displays the victim viewing the animated gif in a browser on their monitor. It’s like looking in a mirror, and is known as “gifception.”
This is what happened when a mass distribution email spoofed DHL’s address, lending credibility to the bogus email prompting the victims to open and click. In this case the criminals picked on DHL, but any shipping company could be spoofed.
By no means is this a new trick, although it may not have been quite so common recently. Embedding the malware in the gif may make it more difficult to detect, and criminals have embedded malware in images before. The only thing that changes is the delivery message.
To avoid becoming a victim, always check the credentials of incoming emails. Never click on a link or executable file unless you know the sender is legitimate and remember to update your software. The implementation of best practices such as Software Restriction Policies (SRP) or Applocker could prevent these infections going forward. And, of course, those tools work best when they work for an informed, trained workforce. New-school interactive security awareness training can help make any organization’s employees more resistant to social engineering.
The Internet Storm Center has the story with in-depth technical analysis: https://isc.sans.edu/forums/diary/DHLthemed+malspam+reveals+embedded+malware+in+animated+gif/23944/
By: Stu Sjouwerman