Cyber crook 'reply guys' turn you into sitting duck for bank theft

*A fake reply from cyber crooks trying to trick people into downloading malware. Image:* *Sophos*

BY KERRY TOMLINSON, AMPERE NEWS

You send an email, you get a message back. But who really sent you the reply? Watch out for fake responses from cyber crooks who want to steal your money and sell you on the underground market.

In Cyber Tricks Revealed, we show you how this sneaky tactic works, along with some new tricks the attackers are using to give themselves a fresh look.

Watch here:

Reply Guys

One of the most notorious 'reply guys' in 2023 is a malware known as Qakbot, among other names. Attackers are jumping into email conversations to trick you into downloading QakBot onto your computer and causing havoc, according to security company Sophos.

It can start with a real email like this one, an out-of-office message to co-workers and customers:

Good day.
I will be out of the office for today.
Please contact ___ for assistance.
Have a great day.

A reply comes in. But it's a fake:

Good morning, please look into this as a matter of urgency.
My thanks and appreciation.

It includes an attachment named "Application reject. Jan 31."

Since the message comes from someone you know -- someone you're already talking with -- you might just open the attachment.

What’s inside?

If so, you would see a document in Microsoft's OneNote, a note-taking app, that reads:

This document contains attachments from the cloud, to receive them, double click open.

But clicking brings in a malware known as Qakbot that can gobble up your passwords and your credit card numbers. Qakbot is also called Qbot and Pinkslipbot.

Qakbot has shown other talents, too, like watching for when you sign onto your bank site and stealing your bank passwords. Then it can do banking transactions from your computer, not the crook's computer, so it looks like it's really you.

Sometimes it will steal all of your email to use it for spreading more attacks, then delete all the messages from your account. It can keep a secret entryway into your machine and sell access to other criminals for things like destructive ransomware attacks that hold you and your entire system hostage.

Second time around

Qakbot has used these email reply attacks before, sometimes called thread hijacking.

For example, attackers moved in on a real email about taxes in 2020 with this fake reply, according to security company Check Point:

Hello, sorry for my late reply to your question. Attached is the document you need.

Clicking on the document, however, downloaded Qakbot onto your computer.

Now in 2023, researchers say Qakbot attackers are mixing things up by using the OneNote document. It hasn't been abused much before, they said, and could seem safe. It's a fresh new look for attackers that might just work.

Alert

The Qakbot OneNote document comes with a warning, researchers said:

Opening attachments could harm your computer and data.
Don't open it unless you trust the person who created the file.

But since you received the email as a reply, you may indeed trust and open the file, putting yourself face-to-face --- or face-to-beak --- with Qakbot.

What to do?

Be careful of all email, even if the message seems to come from someone you know and are talking with.

Look at what language they are using and why they want you to open a document or attachment. Does it sound like an appropriate answer to the message? Could it be a fake?

If you get a warning about opening a document, pay attention. You can contact your IT department if you have one and/or verify by phone with the person who appears to have sent you the email.

Attackers will try to get you to act urgently without thinking about their requests. If you slow down, you may be able to detect many poisonous emails before they can strike.

In addition, use long passwords for your email accounts to help keep attackers out, and use multi-factor authentication --- an extra log-in step --- on all your accounts to help prevent break-ins.