SecureWorld News

Old Dog, New Phishing Trick from Necurs Botnet

Written by SecureWorld News Team | Tue | May 1, 2018 | 9:31 PM Z

Millions of machines are in on the action.

They are constantly being called upon to cause problems around the world.

These machines make up the Necurs botnet, which many consider to be the world's largest and most powerful spam and phishing delivery mechanism.

If this botnet had a bumper sticker, it would say something like this: "The best day working IS the best day phishing!"

Necurs botnet reveals new tricks 

And while botnets don't have bumper stickers (that we know of), they do have new tricks. The criminals who control the Necurs botnet are doing something new to get around most email filters, which security firm KnowBe4 is documenting. In many cases, the phishing effort looks like a voicemail message:

KnowBe4's Founder and CEO, Stu Sjouwerman, has this to say about the Necurs botnet on his blog:

"It's begun emailing archive files that unzip to a file with a .url extension. This commonplace Windows shortcut opens a page directly in a browser. The advantage of this approach is that it's typically overlooked by email scanners, which are hunting for more complicated infection chains. The final destination of this link is a remote script file that downloads and automatically executes a malicious payload.

This common Windows shortcut is the social engineering tactic which tricks your users into thinking the email file attachment they just unzipped has created a folder that they need to enter and view the actual file."

And Sjouwerman suggests updating your filter settings to help catch attachments that arrive as "archive files" so they can be treated as guilty... until proven innocent.