You have heard it over and over and likely, your reaction is “Yes, I know. Don’t enable macros in Microsoft documents or spreadsheets.” Well, don’t plug your ears or turn away, but you’re about to hear it again…only for a new reason. Some who have less than great intentions have figured out a way to get those macros enabled using a seemingly harmless Microsoft Word document (.doc). So now, even if you have them disabled by default, someone has found a way to get those enabled for you; like it or not.
Researchers from McAfee discovered a way that those on the “dark side” can send a Word document in email and although it is not malicious, it has the ability to disable the macro security settings on your behalf. They found that this document "downloads and executes malicious DLLs (ZLoader) without any malicious code present in the initial spammed attachment macro." It disables the macro warning message, so you don’t know what is happening when the subsequent malware is hitting you.
Wow! Very clever, right? Yes, it is, but that doesn’t mean that you are off the hook about being diligent and on the lookout for this so-called “harmless” document. In fact, it’s sent the old reliable way; via a phishing email message that lands in your inbox. The document itself breezes by any antivirus and may even pass through spam filtering that may be in place, which means it’s up to you to spot it. When or if you do, don’t open it, because that will actually download an Excel file that does contain a macro loaded with malware, which happens to be a descendant of the ZeuS banking trojan. And how does it pass by your eagle eyes? It tricks you into enabling macros on the Word document you initially received. However, if you don’t enable the macros, the Excel file does not download and you avoid the malware.
So, there you have it. Another great reason not to enable macros on documents, or any file you might receive in an email message unless you created it or know who did. It’s just not worth it.
And keep these other phishing spotting tips in mind:
- If you don’t know the sender, don’t click it.
- If you are not expecting it, don’t click it.
- If you are not 100% sure any attachment or link is safe to click, don’t click it.
- Verify anything you might consider clicking with the sender using an independent means, such as a new and separate email message, a phone call, a text message, or a personal visit.
- Spelling and grammar count. If the message is a mess or unprofessional, it should be deemed suspicious.