A UK health watchdog, the National Institute for Health and Care Excellence (NICE), is warning that thousands of people have been sent hoax emails suggesting they have cancer, with a subject line along the lines of, “important blood analysis result.”
The mails claim that the Institute received a sample of the recipient's blood, (though it doesn't say how, when or why), and it goes on to warn that after a “complete blood count test” the results showed very low white blood cell counts and a suspicion of a cancer.
"A spam email purporting to come from NICE is being sent to members of the public regarding cancer test results,” NICE explained. “This email is likely to cause distress to recipients since it advises that 'test results' indicate they may have cancer. This malicious email is not from NICE and we are currently investigating its origin. We take this matter very seriously and have reported it to the police."
The email further instructs the recipients to print out the attached results and take them to their family doctor, but of course the results are actually a malicious zip file. Inside the archive is a file with a double extension made to look like a PDF file, but in actuality it’s an executable with a PDF icon, according to an analysis emailed to Infosecurity from AppRiver.
To avoid detection, the campaign randomizes the name of the signing doctor and uses a variety of subject lines. “If the attachment is unzipped and executed the user may see a quick error window pop up and then disappear on their screen,” said Fred Touchette, senior security analyst for AppRiver. “What they won’t see is the downloader then taking control of their PC. It immediately begins checking to see if it is being analyzed by making long sleep calls, and checking to see if it is running virtually or in a debugger. It also makes several duplicate instances of itself just in case someone was attempting to shut down the original process.”
Next, it begins to steal browser cookies and MS Outlook passwords from the system registry. The malware in turn posts this data to a server and punches a hole in the firewall to listen for further commands.
Touchette pointed out that this is common behavior for the Zeus family of malware.
The BBC reported there have been a high number of calls to NICE from those receiving the mail, and the campaign is believed to be widespread. AppRiver noted that the gambit only targeted people whose email address ends with the .co.uk top-level domain.
“Keep yourself informed and watch out for some of the common flaws that these malware campaigns employ - such as addressing people by their email addresses as opposed to their actual names,” said Touchettte. “Often, generalities are used in the greeting with no names at all. This is a big red flag, especially when the content is trying to appear so personal. If there are any questions as to the legitimacy of any email, contact the supposed sender directly to authenticate.”