Whilst sitting and working in the South African office I receive an
email from my Swedish ISP. I quickly look at it and there is something
that doesn’t add up. The email states that I need to pay my invoice, but
I never receive electronic invoices from this company.
There has been a huge increase in these kind of phishing emails lately
but it’s the first time I have seen these emails. What makes this
campaign so interesting is that they have not just addressed the email
to me, but also included my child’s name. This is something I have never
seen before. How they got access to my child´s name is not sure, one
speculation is that they compromised a Swedish governmental agency, but
this has to be left unconfirmed.
What happens when you click on the link is it will redirect you to a
website. This website will enumerate from your country of residence to
make sure that you are actually a Swedish victim. Additional to this, it
will enumerate your browser by analysing the User-Agent string.
Why they check the Operating System is because the next step in the
campaign is to trick you into downloading a Windows executable. We are
currently investigating what the malware is doing, but from our previous
research it seems that it’s some kind of Cryptolocker.