Emotet has been circulating on the Internet for over two years, is currently raging in Germany and around the world – but is now extraordinarily successful.
The attack is devastating because of his personal touch. In the following we want to show why the attack is so successful and why this attack strategy is widespread.
Good phishing emails make Emotet so explosively successful.
Basically, Emotet is a classic Trojan. After a malicious website has been visited or a malicious attachment has been downloaded and opened, Emotet reloads more malware. Emotet then mutates into a multi-headed Hydra.
Passwords are downloaded from the browser’s password safe, banking Trojans such as Trickbot are reloaded, and the most critical thing is that Outlook contacts are stolen and then e-mails are automatically sent to these contacts in the victim’s name. This is a particularly efficient distribution strategy, which is illustrated more clearly in the following picture:
These are the targets of attackers – even with Emotet!
There are only three things attackers want from their victims:
- a link should be clicked
- download a file or
- an action to be performed
If an attacker sends a completely replaceable e-mail without any personal reference, the probability that a potential victim clicks on the link is quite low. Therefore, personal reference is of paramount importance to the success of a phishing email. This personal reference can arise through social networking and spying on publicly available personal information.
Experts speak of Open Source Intelligence, OSINT for short. This is how an attacker tries to build trust and get you to click on a supposedly harmless link. With the distribution via the address book with the victim as sender, this step is completely omitted with Emotet.
OSINT, Outlook and lack of scepticism make Emotet so successful.
So Emotet is so successful for several reasons: By searching contacts in Outlook and automatically sending e-mails on behalf of the victim, the personal contact is mapped. What is particularly treacherous is that increased trust is usually placed in address book contacts and that it is rarely questioned whether the e-mail is a fraud attempt. (Similarly successful was an automated phishing campaign via Facebook.)
These e-mails can be detected and the consequences of an infection can be prevented – but only if far-reaching awareness campaigns have been carried out in the company. The technical component must provide support: However, filtering known contacts is difficult to implement technically.
Regular updates of the systems used are mandatory. This has long been the standard in a few industries, such as finance. The medium-sized company and the small company from the region are waiting with updates for various reasons. And it is precisely these companies that are particularly important.
It is not without reason that they are called the backbone of society. It is therefore enormously important to pick up these companies and to set them up well when it comes to IT security. This requires expertise on the one hand and communication skills and the ability to present complex facts in a simple way on the other.
So you can protect yourself from emotet and other attacks!
We have compiled a few compact tips that most companies and individuals can quickly implement to avoid future infection:
- Deactivation of macros in Office documents
to prevent the initial infection
- Only install the programs on your computer
which are needed for the daily work – so you keep the attack surface smaller
- Enable file extension display by default
to avoid confusion and always get the actual file type displayed.
- Do not open executable email attachments (.exe, .bat, .jar, .cmd).
- A serious communication partner, will not send you executable files without prior agreement
- Sensitization of employees on the topic of social engineering, phishing e-mails and general IT security topics to increase awareness.
We hope this blog post has helped you understand what Emotet is and why old wine can be very successful in new wineskins. If you have any questions or would like to sensitize your staff, in the context of an impulse lecture, a live hacking or a training session, please feel free to contact us at firstname.lastname@example.org!
This post is also available in: Deutsch (German)