Accounts Payable in the Czech Republic Targeted by Dridex

Websense® Security Labs™ has observed an increase in Dridex being used to target individuals in the Czech Republic. Using malicious email lure themes related to invoicing, the campaign follows a typical pattern of targeting recipients using keywords like "accounts payable" to make the messages seem more authentic. The Dridex campaign also uses a combination of subject lines and email bodies that urge prompt action. 

Websense Security Labs saw tens of thousands of lures targeting users in the Czech Republic within a very small time window on August 4, 2015. The emails were sent from a variety of sender domains with fictitious user names. The malicious emails contain Microsoft Word MHTML attachments with malicious macros that can be used to execute code. 

Recipients should be extra cautious of email messages that include any source information they are not already familiar with, including:

• Email sender

• Company sender domains

• Email bodies with little to no contextual information

Since Dridex is known to not only leverage but also harvest additional SMTP accounts as part of its malicious activities, email recipients should also be careful with suspicious messages sent from familiar names or aliases. Recipients should use caution by following up in a separate email thread or via a phone call (or some other out-of-band process) for validation of a submitted invoice. Furthermore, all security best practices and defense-in-depth strategies should be followed as part of a risk mitigation strategy. Websense customers are currently protected via TRITON AP-Email. This case highlights once again that geography has a role to play in the malware-as-a-service ecosystem.

Contributors: Jose Barajas and Ran Mosessco