Just a heads up, my business email account suspiciously sent out numerous emails yesterday morning to clients with a Word doc attachment. The attachment contained the above mentioned trojan which also goes by:
W97M.POWLOAD.NSFGAICR, or
W97M.Downloader
Specific details here:
https://www.trendmicro.com/vinfo/au/threat-encyclopedia/malware/trojan.w97m.powload.nsfgaicr
Webroot did not catch this on my system during numerous system scans on multiple devices. I had to reinstall my OS for other reasons (the wonders of Bootcamp), so subsequent scans with Webroot, Trend Micro and Windows Defender are clean. But by then the damage was done. The source was Russia, and by then they had the email password and access to my account, which means they knew who I'd been recently communicating with.
Malicious emails were sent to people I'd had recent conversations with, some of who were expecting documentation from me, so they assumed the attachment was safe and opened it which then infected their system. Many of these contacts were not in my address book, and the malware was clever enough to simply mask the phony email as a "reply" to the most recent legitimate email in each thread. The client system (Trend Micro) identified the trojan, and I was notified by them, but it was too late.
I don't know if the Webroot trojan database is not up to date, or whether Trend Micro is simply more capable of catching this. Just pointing this out and hoping it doesn't happen to anyone else. What a mess.
Webroot missed Trojan:O97M/Sonbokli.A!cl - which then infected client computers
Userlevel 1
Page 2 / 2
Userlevel 1
Hi Muddy7,
Anyhoo, to answer your questions:
1. They were sent with my credentials, but my machine was off. It wasn't spoofing, because the sender address wasn't forged. They were legitimately sent from my account. I know this because I was emailed immediately by my host provider that it suspected mass spam emailing between 6:00 and 6:30AM that morning. They stopped further transmissions.
2. Not sure when/where/how the data got intercepted, or if simply my credentials were hacked by malware.
Malware is getting more and more clever. It used to be quite obvious, but in this case:
- was delivered from a legitimate (not spoofed) email address
- was a reply to a previous email in a chain
- contained a file called [mylastname].doc, which is certainly less conspicuous than "shipping_details.pdf"
- signed with my sig file
- sent to recent clients, many of whom I send reports or other .doc, .xls or .pdf files frequently
- contained no spelling or grammar mistakes
If I had been at the other end of that email, I'm 90% sure I would have counted it as legitimate and opened it. I don't blame my clients for opening it either. In the end, I would rather use more advanced detection algorithms to find this stuff ahead of time, not only for the security of my local machine but for that of my clients.
I switched to Bit Defender for all devices and purged all my old emails in the Outlook trash. Found a bunch of stuff, and I did a couple manual deletes. So far so good.
Cheers,
P
My questions at the time were:I don't know if Webroot was to blame for not detecting the initial infection. My point in switching software was because WSA was unable to detect exactly the type of malware used to spread the spam my account had sent out, whereas many other software packages do. Support said they were working on it, but it was too late for me and my clients.
- Did those emails come from your computer or was your email address spoofed?
- Did the offender get access to your recent email communications with your customers by compromising your machine or did something get compromised somewhere between those communications leaving your machine and their arriving at the recipients' machines?
Anyhoo, to answer your questions:
1. They were sent with my credentials, but my machine was off. It wasn't spoofing, because the sender address wasn't forged. They were legitimately sent from my account. I know this because I was emailed immediately by my host provider that it suspected mass spam emailing between 6:00 and 6:30AM that morning. They stopped further transmissions.
2. Not sure when/where/how the data got intercepted, or if simply my credentials were hacked by malware.
Malware is getting more and more clever. It used to be quite obvious, but in this case:
- was delivered from a legitimate (not spoofed) email address
- was a reply to a previous email in a chain
- contained a file called [mylastname].doc, which is certainly less conspicuous than "shipping_details.pdf"
- signed with my sig file
- sent to recent clients, many of whom I send reports or other .doc, .xls or .pdf files frequently
- contained no spelling or grammar mistakes
If I had been at the other end of that email, I'm 90% sure I would have counted it as legitimate and opened it. I don't blame my clients for opening it either. In the end, I would rather use more advanced detection algorithms to find this stuff ahead of time, not only for the security of my local machine but for that of my clients.
I switched to Bit Defender for all devices and purged all my old emails in the Outlook trash. Found a bunch of stuff, and I did a couple manual deletes. So far so good.
Cheers,
P
Thanks for the reply!
Maybe there's something that I've missed here in your explanation (I'm not always the brightest of sparks when it comes to IT stuff :@). And anyway, we seem to be in danger of starting going round in circles. One thing is completely understandable: you've had a terrible experience, as a result you don't feel comfortable with Webroot, and indeed I imagine if I were in your boots (in more than one respect I am not!) I would probably feel the same. So as I say, completely understand and I wish you the best with your new protection 😃
OK, so that establishes pretty conclusively that the emails were not sent from your machine.@ wrote:
They were sent with my credentials, but my machine was off
Not quite sure how Webroot could detect the type of malware that was used to send out mails that apparently did not come from your machine?@ wrote:WSA was unable to detect exactly the type of malware used to spread the spam my account had sent out
Maybe there's something that I've missed here in your explanation (I'm not always the brightest of sparks when it comes to IT stuff :@). And anyway, we seem to be in danger of starting going round in circles. One thing is completely understandable: you've had a terrible experience, as a result you don't feel comfortable with Webroot, and indeed I imagine if I were in your boots (in more than one respect I am not!) I would probably feel the same. So as I say, completely understand and I wish you the best with your new protection 😃
Page 2 / 2
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.