Dissemination of malware via e-mail attachments and links

The Heidelberg University Computing Centre would like to make you aware that, within the past few days, there is a higher incidence of e-mails containing malware.

One malware we know about works on all systems which are run with a Microsoft Windows operating system and on which Microsoft Office – (in this case) particularly Microsoft Outlook – is installed. After being executed, this malware uses the following methods:

  • Downloading further malicious codes
  • Checking the affected e-mail account, trying to detect e-mail threads, at this, most essential: “Who communicates with whom about what (reference line)?”
  • Based on the last message received by each contact address, an e-mail response is created, e.g. by writing “Please check the details in the documentation”, “Please check the new section in the annual report” etc..
  • The e-mail response is signed by the correct name and e-mail address of the affected person, attaching a macro-based Word or Excel file, which, once being opened, downloads even more malware to your computer.
  • The e-mail response is sent via different, varying external e-mail services (probably hijacked mail servers). This is why we recommend a privacy policy message.

There is another active malicious software called Gandcrab. We already reported about it some time ago (see: https://www.urz.uni-heidelberg.de/de/2018-09-06-gandcrab).

In this context, we would once again like to hint at some general measures how to deal with suspicious e-mails

Should you receive e-mails with unusual or strange reference lines or texts, NEVER click on the stated web link, and do NOT open attached files. This also applies if you know the sender because visible e-mail senders in a header can easily be tampered with. In case of doubts about a message from a known sender, you might first make a phone call to such a sender and ask whether the e-mail received was really sent by the person in question. Otherwise, immediately and irretrievably delete such e-mails using the keyboard shortcut “Shift+Del”, i.e. without a detour via the trash/recycle bin of your computer.

We recommend the following measures:

  • Do not open attachments or links in e-mails causing even the slightest doubt about their trustworthiness. Messages marked as spam are, as a general rule, never trustworthy. In particular, beware of e-mails containing suspicious attachments, e.g. invoices, which you cannot trace.
  • Do not start executable files if you doubt their trustworthiness.
  • Install certificates for your e-mail accounts (https://www.urz.uni-heidelberg.de/de/smime-zertifikat-beantragen) to allow your contacts to do an authenticity check of messages they receive from you as a sender.
  • Take care that an up-to-date virus scanner operates on your computer.
  • If you receive (allegedly) internal e-mails, first check whether the sender really uses an e-mail address “@uni-heidelberg.de” or “@uni-hd.de”.
  • It is essential that you generally deactivate the macro function in all MS Office applications.