Malicious Email Exploits Greta Thunberg, Christmas, and Children

A malicious email campaign that exploits the notoriety of youthful Swedish climate crisis activist Greta Thunberg has been discovered by multiple research teams.

Threat actors constructed an email that appears to invite the recipient to participate in a demonstration being held to protest the lack of government action being taken to protect the natural environment. 

The email purports to be from environmental activist Greta Thunberg. In a bid to appear more authentic, the sign-off references a genuine accolade recently awarded to Thunberg—being named Time Person of the Year 2019. 

The email states that the time and location of the non-existent demonstration are included in a Microsoft Word document "Support Greta Thunberg.doc," which is attached to the email. When the victim opens the document, the Emotet malware is installed on their computer. 

Emotet is a banking Trojan that has been around since 2014 and has recently made a significant comeback. In the 2019 Q3 Threat Report by Proofpoint, researchers found that Emotet accounted for nearly 12% of all malicious emails in that quarter.

As if exploiting the positive actions of a teenager and public concern over the future of the planet wasn't enough, the emotionally manipulative scammers stooped even lower by throwing Christmas and children into the mix.  

The content of the malicious email reads: "Merry Christmas. You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day. But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis."

Proofpoint researchers who detected this festive incarnation of Emotet wrote: "This campaign serves as a reminder that attackers won’t hesitate to target people’s best intentions during this holiday season."

Sickeningly, the threat actors appeared to be specifically targeting .edu domains used by students. 

"We saw more .edu domains attacked than domains associated with any specific country," wrote Proofpoint researchers. 

Versions of the same malicious email have been doing the rounds in a variety of languages, including Spanish, Italian, French, and Polish. 

The one positive takeaway is that the threat actors’ topic of choice signals growing global awareness of Thunberg and the issues for which she advocates. 

Proofpoint researchers noted that the campaign "serves as a mark of how significant environmental awareness has become and how well-known Greta Thunberg is globally."

What’s Hot on Infosecurity Magazine?