Feb Breach Scam Feature

What happened?

Security experts recently discovered that criminals have begun distributing Pony malware disguised as Microsoft Publisher file attachments in a new type of phishing email. Sending malware via email attachments is nothing new. But scammers continue improving their theft methods hoping to steal your personal information.

The ploy operates like a traditional phishing attack. A phishing email is sent containing the infected attachment. Once the Publisher file is downloaded and opened, it will appear to crash moments later.

However, the credential-stealing Pony malware is unknowingly being installed, giving hackers full remote access to user credentials and sensitive files on the affected computer. Pony malware is particularly concerning because it allows compromised devices to spread the infection to other devices.

What is Pony Malware?

The Pony malware is a password stealer that can unlock passwords from over 110 different applications (VPN, FTP, emails, web browsers, etc.). The malware searches infected machines for user credentials, then sends the information back to the control server (aka the hacker). It can also turn infected computers into botnets that spread the malware to other devices.

Source: KnowBe4

Why Publisher?

At initial glance, Microsoft Publisher seems to be an odd choice for scammers to use in this type of attack. One would assume that potential victims would be more likely to click or download email attachments ending in .doc (Microsoft Word), .xlsx (Excel) or .ppt (PowerPoint) as opposed to the less familiar .pub (Publisher) files.

But experts from Graham Cluley say that the social engineering tactics behind this phishing scam are enough to convince victims to download the unusual file. The emails typically outline an interest in sharing files with you concerning financial planning, consulting or assessment, urging victims to open the malicious file.

Furthermore, Microsoft Publisher is preferred by hackers in these types of phishing attacks because it does not support “Protected View.” Protected View is a “read-only” mode included on other Microsoft Office programs, like Word, Excel and PowerPoint, that protects users against potential cyber threats attached to those files.

What should you do?

Follow these tips to avoid becoming a victim of the Publisher malware, as well as phishing emails overall:

  • Be wary of Publisher file attachments unless you are expecting to receive one. Microsoft Publisher is not commonly used for file sharing or word processing. Receiving an unexpected Publisher file can be a big red flag for this type of phishing attack.
  • Install anti-malware programs, and make sure they stay updated. Anti-malware or anti-virus protection programs will alert you of any suspicious activity occurring on your computer. Pony malware runs in the background and does not make itself easily apparent at time of download. Malware like this can be missed if you don’t have anti-malware protection.
  • Use strong passwords and avoid password reuse. Strong passwords will help thwart hackers from compromising your accounts. Should they successfully steal your login credentials, using different emails/usernames and passwords for each online account can help prevent hackers from accessing all your accounts.

Continue following Fighting Identity Crimes for more cybersecurity and protection tips, as well as up-to-date breach and scam news.

Read more: Phishing Emails: The Unacceptable Failures of American Express