A spam campaign Symantec observed in January 2017 targeting people who live in Germany appears to be, once again, using detailed, real personal information to enhance the believability of the messages. Victims who open the message attachments are likely to have their Windows computers infected with malware that steals banking information.
First seen in the UK
Symantec is aware of only one other campaign in the recent past that used this same modus operandi. In April 2016, thousands of people across the United Kingdom received similar spam messages indicating that a large bill had not been paid and would be sent to a collections agency. While the business name and the messages varied slightly, they all included detailed personal information about the victim, both in the message body and in the malicious file that was delivered through a link.
The spam samples we’ve seen targeting users in Germany employ a similar social engineering trope to those sent to victims in the UK. The messages, written in German, allege that the spam recipient has attempted to pay for something online and that the payment failed. The message continues by threatening to send the matter to a collection agency or law enforcement if the payment is not received within a short period of time.
While there was significant variation between the contents of the German messages, they shared some phrases which were repeated verbatim. For example, the phrase, “Sämtliche damit verbundenen Kosten werden Sie tragen” (“All costs will be borne by you”) appears in both messages. In the earlier campaign targeting users in the UK, we saw a similar reuse of certain grammatically awkward phrases, such as, “your invoice is now considered as overdue.”
The key detail of each message was the fact that the recipient’s full name, mailing address, and telephone number were embedded in the middle of the message.
One difference between the two spam campaigns is that the payload was attached to the message sent to the German recipients, while the UK campaign’s messages contained a link to one of several compromised websites hosting the malware payload. When victims of the UK campaign clicked the link to download the malware, they were also prompted to enter a CAPTCHA code into a web form before the site would download the malware.