Love Hurts - Attackers Aim For Would-Be Valentines

February 12, 2016
Proofpoint Staff

Valentine's Day is upon us once again...time for lovebirds to shower each other with chocolates, florists to gouge last-minute shoppers, and greeting card companies to cash in on their biggest day of the year. Unfortunately, it isn't just florists and greeting card companies cashing in. As with virtually any holiday or milestone, cybercriminals are also taking advantage of the opportunity afforded by Valentine's Day.

From a spammer's perspective, Valentine's Day is a great opportunity to fly under the radar of common sense with socially engineered lures to download malware or click to a phishing site. In the past, security researchers have found malware in those e-cards your sweetheart sent you (your loved one didn't really send them), phishing sites promising international dating opportunities (beautiful Russians don't really want to be your valentine), and sites for last-minute gift ideas (although these sites will steal your credit card instead of letting you steal someone’s heart with a classy gift).

This year, Proofpoint researchers came across one particular spam campaign that suggests the 70's rock band, Nazareth, had it right when they recorded “Love Hurts.” It would have been more fitting for them to record "Social Engineering Hurts" or "Ransomware Hurts" but that would have put the Swedish rockers way ahead of their time.

This campaign begins with an email lure that, despite broken English, seems harmless enough (Figure 1):

Figure 1: Email lure enticing recipients to download an entry form

Who wouldn't like see a show, go to a sporting event, or head to a concert, all at substantial discounts as part of Vividseats' Valentine's Day promotion?

Unfortunately, clicking the link downloads a Microsoft Word document (promo_tickets_form.doc) that contains exploits that drop and execute a new ransomware variant called 7ev3n. These exploits affect a range of Microsoft Office versions, including Microsoft Office 2003 SP3, 2007 SP2 and SP3, 2010 Gold and SP1, ensuring that a large number of endpoints are potentially vulnerable.

7ev3n itself is an especially nasty bit of ransomware that distinguishes itself from the more common Cryptowall, Cryptolocker, and Teslacrypt variants in a few ways:

  1. The ransom is very high. Attackers demand 13 bitcoins (about 5,000 USD) to decrypt files on infected machines
  2. The attackers threaten to make encrypted files public if the ransom is not paid
  3. Users are locked out of their systems completely until the ransom is paid

When a system is infected, 7ev3n immediately

  • Begins scanning for files to encrypt
  • Makes several changes to the system to ensure that the PC restarts and is locked without options for recovery
  • Creates a bitcoin wallet
  • Forces a restart once files are encrypted and the machine has been identified to the command-and-control server, locking the machine, disabling the keyboard and mouse, and displaying the message shown in Figure 2

Figure 2: Ransom screen for 7ev3n

We’ll delve further into 7ev3n next week in a blog post that covers the ransomware’s role in other campaigns. Through the rose-colored glasses of would-be valentines, though, the more important consideration is the initial lure and the social engineering that makes it work.

Red flags galore appear in the email that links to this malicious document (language issues, the timing of the SuperBowl-related prize, grandiose promises of major prizes, and so on). And yet this campaign, like many others, is effective. It takes only a few victims to generate a reasonable income stream for the cybercriminals behind it, and click rates on these kinds of emails remain remarkably high. In this case, the threat of public disclosure of personal files also may be enough to convince people to pay the ransom, even if regular backups mean that they haven't actually lost their newly encrypted files.

So as we scour the web for last-minute gifts and click through the Friday backlog of emails before grabbing overpriced flowers on the way home, keep those immortal lyrics from Nazareth in mind:

Some fools think of happiness
Blissfulness, togetherness
Some fools fool themselves I guess
They're not foolin' me

Think before you click and, next year, start your Valentine's shopping earlier.