Yet Another New Phishing Scam: What It Is and How to Stay Safe

Another week, and yet another scam hitting the corporate interwebs, one that finds a brand-new way to exploit your employees and damage your company. We want to help you stay safe and keep your business free from the distraction or even devastation of a cyberattack. So here’s what you need to know about this new phishing scam, and how to keep yourself and your team members safe.

The New Threat: Malware Wrapped in a Phishing Attack

The new threat uses similar tactics to those we’ve warned you about before. But the specifics are different enough — and convincing enough — that this one warrants special explanation. Like any other phishing attack, this one sends a phishing email pretending to be from somewhere reputable. This time, it impersonates a very reputable tech brand, one that offices everywhere use and that employees will likely recognize. This phishing attack doesn’t try to steal your credentials, though: instead it delivers a payload of malware. What we often call a virus, malware installs itself invisibly on your computers and starts doing things you don’t want on those systems. It could start stealing your data or log everything you type or a wide range of other things, none of them good.

How the Threat Works

Here’s the basic path this threat takes. It starts with an email that acts like it’s from DocuSign, that company that gives businesses a way to digitally sign documents. It isn’t from them, of course: DocuSign has nothing to do with this scam other than being in the unfortunate position of having their name stolen. The email tells you that some kind of important document awaits you. Currently it’s most often a “Remittance Advice,” but the scammers could change the document type easily in the coming months. Here’s where things get tricky. If you click the big yellow button in the email, you actually (at least so far) get sent to the real DocuSign website. Of course, that site won’t know anything about any Remittance Advice document, because it’s not real. We think this quasi-legit portion of the scam is helping it get past some spam filters. Anyway, the dangerous part is the attachment. The message says something about attaching the document to the email itself, and sure enough, there’s an attachment. It might look like an HTML file or an image file, depending on your email program, and it might be named “remittance advice.htm”.

What the Attachment Really Is

OK, stick with us: here’s where it gets tricky. That attachment is essentially a blank image. There’s an image type you probably haven’t heard of called .svg – it’s a type of vector image that’s able to contain data and code (in ways regular images can’t) and that can be encoded into an HTML file. If you open the attachment, all you see is a blank image. It’s like there’s nothing there. But what you don’t see is that, behind the scenes, there’s some code embedded in that blank image that automatically launches a malicious link. That’s right: you don’t have to click the link in the attachment. It clicks itself, so to speak, if you even peek at the attachment.

How You Can Stay Safe

Our best tip for staying protected from this scheme is to treat all .html and .htm attachments as suspicious. There’s rarely a legitimate reason someone would need to send you one. If you get one and you’re not absolutely certain it’s legit, contact the sender another way to double-check. At the admin level, you could block all emails with this kind of attachment. If you’re not sure how, we’d love to show you. Take extra caution if your business actively uses DocuSign: you’re at greater risk because your team won’t think twice about an email that looks like it’s from this company. Train your team that DocuSign never sends attachments like that and tell them to report anything suspicious to your IT partner. That’s it for this week. Need help managing your IT? We’d love to chat! Reach out to our team today.