At the end of August, Mr. Nhan, the owner of a store in Hanoi, received a text message asking about the service from a strange customer. This person had never purchased anything before. After a few greetings, he offered to cooperate and sent him a file containing the items that needed a quote. “It’s just a list, but I don’t understand why customers don’t send it directly but have to compress it with a rar file,” Mr. Nhan said.
Finding it unusual but thinking that was their way of working, he unzipped it and received a file with an Excel icon. However, when he looked closely, it was a file with the .exe extension, the file type used to run the program, so he did not open it. Knowing he couldn’t fool Nhan, the other person blocked his account.
A “quote” message in rar file format. Photo: Luu Quy
Ngoc Tram, an online business in Hanoi, was also almost scammed in a similar situation. In early September, a person claiming to work for a company in the same industry threatened to sue Tram’s store for image copyright infringement. Using the excuse of having many evidence files, they sent her a compressed file. “I was suspicious and asked to send it directly, but they did not accept it and told me to download the file to see. When I contacted the other company directly, I found out that there was no such thing,” Tram said.
According to Mr. Vu Ngoc Son, Technology Director of NCS Cyber Security Company, in the past few weeks, many users in Vietnam have received phishing messages in compressed file format. Most target online businesses, sales fan pages or accounts with large followers.
The common method is that scammers approach victims via Messenger or Zalo. Using the excuse of needing to send a quote or having evidence of denunciation, they send rar or zip files, making it impossible for users to view directly, but must download to the computer. When unzipped, the recipient sees a file that looks like an Excel file, but is actually an .exe or .bat executable file with a changed logo. In some cases, bad guys also use tricks to increase the virtual size of files to overcome the limits of virus scanners.
An .exe file disguised as the Excel logo. Photo: CookieArena
According to Mr. Son, just by opening the file, the user’s device is infected with malicious code. This code has the ability to steal browser cookies and send them to hackers. From there, they can copy the login status to access the victim’s online accounts, such as email, social networks, and accounts running Facebook ads.
The tactic of stealing accounts with malicious code is not new, but it is a trend because malicious code can spread exponentially. “After capturing an account, crooks will use that account to approach other victims,” Mr. Son said. Reputable accounts, once stolen, will help hackers easily lure the next victims.
Last week, security firm Guardio Labs also published an analysis of this type of malware and found that they were linked to hackers from Vietnam. In the source code of the collected malware, experts detected the presence of the Vietnamese language as well as mentioning a popular browser in the country.
Activation of malicious code requires user interaction, from downloading the file, decompressing it to opening the file. However, according to Guardio Labs, this campaign has a quite high success rate, it is estimated that for every 250 people approached, one person will be infected.
“Users need to be careful, do not open .zip and .rar files even though they are sent from your friends list. You need to confirm with the sender through another channel, such as calling, to make sure the file is your friend. I send it before opening it,” Mr. Son recommended.
Luu Quy
EN 
VI
Leave a Reply
You must be logged in to post a comment.