UK, US users hit with credit card-themed spam spreading ransomware
Symantec researchers have spotted an unusual ransomware delivery campaign hitting mostly UK and US users: fake emails apparently coming from Visa are urging recipients to “take advantage of even more rewards and benefits in 2016.”
The email does, at first glance, look like it’s coming from an legitimate commercial source – it even contains advice for the recipient to not include credit card details in any correspondence:
In any case, the attackers aren’t after credit card data. They want the recipient to download the attached ZIP archive which supposedly contains a Total Rewards Visa white paper, but in fact holds a JavaScript file. When run, the script downloads a variant of the TeslaCrypt ransomware. The malware will encrypt the victims’ files, and asks for $500 in Bitcoin to decrypt them (the sum doubles if the ransom isn’t paid within 160 hours of infection).
“The spam campaign began as early as February 17 and is still ongoing. Although Symantec telemetry indicates the peak of the campaign may have already passed, it would not be surprising if the campaign starts picking up again since attackers behind TeslaCrypt are known to be very active,” the researchers noted.
“We may also come across spam runs using similar baits, so users need to be wary when receiving these types of messages in their mailboxes. Users must be especially vigilant if the email has an attachment with a JavaScript file inside, which is highly unusual.”
This particular campaign targeted almost exclusively English-speaking countries.
Spam related to credit cards is goes out on a daily basis, but credit card-related spam campaigns involving malware are not that common, the researchers added, and urged users to keep their software updated and regularly back up their files.