Cybersecurity firm McAfee's own email hacking protection service was reportedly used to propagate a banking malware. The email protection service – McAfee ClickProtect – reportedly shared the Emotet banking malware, which was hosted on a third-party website.
Emotet is a data-stealing banking Trojan that has reportedly resurfaced recently with a vengeance. Security experts believe that the malware has been upgraded by hackers over the past few years, with new variants believed to be better at security evasion. Recently, the Emotet was used by hackers as a malware dropper to spread a newly discovered sophisticated banking malware called IcedID.
ZDNet reported that a security researcher, who uses the pseudonym Benkow, was the first to spot and tweet a malware analysis report that included the malicious link, which when clicked redirected users to the "cp.mcafee.com" domain and to the malware-laced Word document.
"Upon opening it and allowing macros, the user unknowingly triggers the download of the Emotet malware binary, also retrieved from a compromised site," Malwarebytes' lead malware intelligence analyst Jerome Segura told ZDNet.
Once the malware is installed, it contacts the C&C (command and control) server to begin gathering victims' sensitive data, such as email and browser passwords. McAfee has since reportedly blocked access to the Emotet malware. However, it remains uncertain as to whether its propagation, in this case, was the work of hackers.
"In the early hours of Nov. 13, the web destination in question had not yet been identified as a source of malware propagation," said a McAfee spokesperson, ZDNet reported. "Later that day, however, McAfee's Global Threat Intelligence service had indeed identified the web property as a threat, changed the site's reputation ranking from 'low risk' to 'high risk,' and thereafter blocked McAfee customers from being able to reach the site."
The incident serves as a warning to users, even those with anti-hacking protection services to beware of current cyberthreats and incorporate common security habits.
"Users should beware of shortened or converted links and perhaps even more so when there might be assumptions that they are safe," Segura warned. "The same goes for signatures appended at the bottom of an email, saying 'this email is guaranteed virus-free' or similar. Not only does it give users a false sense of security, but criminals often also add such messages for social engineering purposes."