How crooks abuse timesaving macros to infect computers: Internet Scambusters #644
Although they sound a bit technical, macros are actually just mini-programs that usually run inside other software to automate and speed up repetitive tasks.
That may be a good thing if they're used properly, but crooks are increasingly burying malicious macros inside email attachments.
If you allow these macros to run, they could infect your computer with a virus that steals valuable information, as we explain in this week's issue.
Let's get started...
Macros: What They Are and How They Could Imperil You
Legitimate mini-programs called macros, which run inside other software, are proving to be an increasingly popular route for criminals to hack into victims' computers.
Simply put, a macro is a series of commands you can use to speed up or automate tasks in certain popular productivity software like Microsoft Office and Excel.
People who know how to use these commands to build a sequence of program actions can save themselves a lot of time and hassle.
But that means crooks can also use them to write malicious macros that run when you try to open an infected document or spreadsheet.
They arrive in the form of attachments to emails or as documents on disks, usually with a message that urges you to click on them.
Sometimes, they are part of a well-organized campaign such as one spotted in the UK in February this year.
In this case, the emails were faked to look like they were from legitimate companies, and referred to an "attached invoice."
But the "invoice" actually contained a macro that would install malware to steal confidential banking information.
One of the Scambusters team members also recently received a similar attempt to install a virus via a macro.
In this case, the message appeared as a notification of a failed ACH (Automated Clearing House) banking transaction, which had been rejected by another bank.
"Please click the word file given here to get more information about this issue," it said.
But the file contained a macro that would have installed a virus known as Trojan Downloader that would then open up a PC to hackers.
In both cases, any attempt to run the macro would likely have encountered the built-in security in Microsoft Word.
When this protection is switched on, which it should be by default, a yellow "Security Warning" bar appears in the program, with a shield icon and a button marked "Enable content."
So the malicious macro would not run unless you clicked that "Enable" button.
But, unfortunately, as we know, many computer users are simply too trusting and probably would click the button if they thought the message came from a legitimate source.
Furthermore, crooks are cunning so, at least in the UK case, the text inside the Word document also contained instructions on how to run macros and bypass the security.
Earlier this year, Security Week magazine quoted the Microsoft Malware Protection Center as saying: "Since Microsoft set the default setting to 'Disable all macros with notification,' the number of macro-related malware threats declined. More recently we have seen new threats emerging that include some form of social engineering to convince users to manually enable macros and allow the malicious code to run."
The magazine said the use of malicious macros had spiked during recent months, notably with the use of the fake "ACH Transaction" notification received by the Scambusters team member.
Other subject headings include "Invoice as Requested" and "Payment Details."
The documents are being distributed as part of a well-orchestrated spam campaign.
So, what can you do to avoid falling victim to malicious macro attacks?
First, check that your software is properly set up to alert you to attempts to run macros.
Word and Excel are the most commonly used programs that run macros, though there are others.
To make sure that the macro autorun function is turned off in these two specific applications, check out Microsoft's article: Change Macro Settings in the Trust Center.
Second, in these or any other programs that invite you to enable or run macros, be extremely cautious about doing so.
If possible, check independently with the supposed sender to authenticate it.
Also be wary about standalone macros available online.
In these cases, the macros are not part of another program but independent applications that offer to automate repetitive tasks on your PC.
Many of these are free so perform an Internet search on the name to check out others' experiences with them.
Finally, ensure you're running good anti-virus software and keep it up to date.
Most security software will spot an attempt to run malicious macros and stop them dead in their tracks.
Alert of the week
Just how far can you trust online reviews of products and services? Sometimes, not very far, says the Federal Trade Commission, after uncovering how one company gave generous discounts to customers who posted glowing reports.
Legally, a reviewer should always disclose any connection with the company whose product they're writing about, but that doesn't always happen, so it's always best to compare reviews from a wide variety of sites, says the FTC.
That's all for today -- we'll see you next week.