Voice message notification email warning: it could be ransomware

Don't play voicemail messages from suspicious sources.Image credit: SANS ISC.

Don't play voicemail messages from suspicious sources.Image credit: SANS ISC.

The search for new methods to trick victims into running a ransomware program has turned to recorded voicemail notifications in email.

Ransomware spruikers commonly use bogus invoice attachments and fake messages from the accounts department to hold victims’ data hostage until they pay a ransom in Bitcoin. Some ransomware variants, such as the lucrative Cerber operation, have even experimented with text-to-speech synthesisers to encourage victims to pay up.

But a new ruse by criminals is ransomware-rigged voicemail notifications, which appear to target Microsoft Outlook users, according to the SANS Internet Storm Center.

The attack email arrives with an attachment, which supposedly contains a voice message, in a .wav file compressed in .zip folder. The folder actually contains hidden malicious code that will install ransomware labeled by some antivirus vendors as Nemucod, which renames files to (original file name).crypted.

The delivery mechanism may be exploiting the fact that missed call notification emails are enabled by default in Microsoft Outlook.

So why use bogus voicemail notifications? SANS ISC handler and independent security consultant Xavier Mertens speculates that attackers are catering to consumers and employees who don’t commonly interact with the usual bait, such as bogus billing reminders.

“Which types of notification do they have in common? All of them have a phone number and with modern communication channels ("Unified Communications") like Microsoft Lync or Cisco, everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications,” wrote Mertens.

Indeed, consumers appear to be the first target of this email spam campaign According to Mertens, a “wave” of attack email he discovered purported to contain a voice message regarding a modem from Vigor, a UK distributor of ADSL modems for the residential market.

One person who reported receiving the same email on Tuesday attempted to open the email in Mozilla’s Thunderbird client on a Linux machine, which he believes saved him from being infected.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANsvoicemailemail securityransomwarephishinghackingcyber securityBitcoinvoicemail hacking scandal

More about CiscoLinuxMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts