A recent spam campaign in Denmark that impersonates the Danish post office is infecting victims with Cryptolocker 2.
According to Heimdal Security, the campaign is part of a long list of cyber-attacks that target one country at a time, at different time intervals, and use the same tactic: posing as seemingly legitimate emails from the local post office.
The scam works like this: an email purporting to be from the post office arrives, saying that the postman didn’t find you home, so you have to go to the post office yourself to get your package. But, once the victim clicks on the link in the email, he or she is redirected to a website that automatically downloads an executable file. That encrypts the hard drive and all of the data on it. A message will pop up asking for a hefty ransom.
In this iteration, unsuspecting users from all over Denmark received emails pretending to be delivered by Post Denmark or PostNord.
Heimdal pointed out that the tactic is not a new one.
“Cyber criminals have been deceiving unsuspecting internet users for a few years by using the post office emails scam,” the company said in a blog. “People fall for it, because the post office is one of the most familiar institutions for them, which they trust. They never give it a second thought before clicking on a link in that email, and they never check the sender’s email address. These are fundamental mistakes that cyber-criminals are aware of and take advantage of consistently.”
Attackers are smart about it too: the spam campaigns that infect users around the world with Cryptoware are localized, meaning they only target users in a specific country at a time, and the emails are translated correctly and use the right visual elements to trigger instant action from the recipients.
United States residents were tricked by the post office email scam in 2011, followed by a fake DHL spam campaign in 2013, one in 2014 and the latest in early 2015. The UK followed suit at the beginning of 2014, with people falling for the fake Royal Mail scam. Australia was hit next in late 2014, and Italy and Spain became targets next in May 2015.
The attackers behind this scam have refined their tactics to keep their anonymity by using multiple hosting providers around Europe to hide their traffic. A domain generation algorithm (DGA) is also employed for the same purpose.